Dear maintainers, After some experiments and research, I found this undocumented hack that allow to socket-activate nginx :
https://freedesktop.org/wiki/Software/systemd/DaemonSocketActivation/#nginx This makes possible to run nginx as a standard user (www-data is a good candidate in this case), but it breaks reloads (ExecReload) and pre- flight check (ExecStartPre). It can still be a good move for security reasons : you remove all privileges from nginx process, can drop all capabilities and can even jail nginx with "PrivateNetwork=true" systemd option (no access to network). In this situation, it's a good thing that /var/log/nginx/{access,error}.log are owned by www-data by default, since you don't havec to chown them before "jailing" nginx with systemd. Conclusion ? Changing owner for root for these log files may not be helpful for lots of people : - for people using default configuration, it works anyway - for people hardening nginx with systemd (dropping capabilities, running as user ...), log files owned by www-data make it easier to work with. So maybe this bug could be closed. Thanks a lot, Samuel Bizien Filippi.
