This is required for it to create the /var directories it uses when the
master process is running as root. It would be possible to run the nginx
master process as non-root but it doesn't drop ambient capabilities when
it spawns the workers so running the master process as non-root will end
up giving the workers higher privileges due to them ending up getting
the CAP_NET_BIND_SERVICE capability passed through.
error_log works the same way as add_header where defining it again on
the same level is additive and logs to both places, meaning that there
are duplicated logs when defining a proper syslog error_log output at
the top level.
This is much more robust because nginx will fail to start after being
killed or crashing due to only removing old Unix domain sockets when it
stops cleanly. It ends up owned by root:root instead of root:http which
is fine because only the master process opens it.
Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as
an ambient capability but it would be inherited by workers. It's better
to leave the supervisor process as root for the time being unless nginx
was taught to use socket activation or drop capabilities for workers.
