(ubuntu) nginx: [emerg] bind() to 0.0.0.0:80 failed (13: permission denied)

Question

I need help figuring out the root cause of this permission denied error. What permissions does nginx need? Why is it so complicated?

Answer 1

the socket API bind() to a port less than 1024, such as 80 as your title mentioned, need root access.

here is " Bind to ports less than 1024 without root access "

and another easier way is to run nginx as root.

Answer 2

If you use a port bigger than 1024 with root privilege, but still got this problem, that's may be caused by SELinux :

Check this port, say 8024, in segange port

sudo semanage port -l | grep http_port_t

If 8024 doesn't exist in the port list, add it into segange port

sudo semanage port -a -t http_port_t  -p tcp 8024

###update in 2017.12.22

Sometimes your SELinux is disabled , you need to enforcing it first. Check the status of SELinux by

$ sestatus

More steps can read this wonderful article: https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts

Answer 3

如果在运行“nginx -t”后看到此消息，则您没有以root身份运行的权限“sudo nginx -t”

Answer 4

nginx needs root access. Just use

sudo nginx

next step along with your password

Answer 5

The best solution would be:

1) add user to sudoers ( my user is prod)

usermod -aG sudo prod

2) inside circus ( process manager ) append sudo before nginx executable, mine looks like this:

[watcher:nginx]
cmd = sudo /usr/sbin/nginx
args = -c /home/t/Projects/x_b_11/etc/nginx.conf -p /home/t/Projects/x_b_11

3) and finaly add line into file /etc/sudoers ( my user is prod). This line avoids error (sudo: no tty present and no askpass program specified). Probably need to restart session ( reboot). Enjoy.

prod ALL = NOPASSWD: /usr/sbin/nginx

Answer 6

Ubuntu uses AppArmor and not SELinux. The responses pointing to SELinux may not be that relevant to the OP.

For the others that Googled this: I also encountered this issue on a SELinux-enabled CentOS 7 machine. nginx would not bind port 80 and gave me error 13: permission denied despite having already run setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/sbin/nginx to allow the service to bind the port with a non-root user.

Temporarily setting SELinux to Permissive ( sudo setenforce Permissive ) allowed nginx to start. I then ran audit2allow -a which gave me

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t ntop_port_t:tcp_socket name_connect;

Which meant the solution was to also run:

sudo setsebool -P httpd_can_network_connect on

After which you can set SELinux back to Enforcing ( sudo setenforce Enforcing ) and restart everything to verify.