Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m running a a Rails 3 application with Unicorn and Nginx. Currently, Unicorns runs as root and due to this line in unicorn.rb:
user "www-data"
but I’m wondering whether I should just run all Unicorn process as www-data. Would there be any problem doing that? I’m using a file socket, so opening a port (<1024) is not an issue I’ll have. Anything else I should be aware of?
You should not be running your application as root. This gives the application root permissions which in turn means that if you make a mistake and expose the file system, an attacker can have root permissions without much effort.
I avoid running as www-data or other shared users. Instead I create a user for the specific app and give them their own unique permissions. In my case, I am running multiple applications on one server and this allows for an added layer of protection in case one app is compromised.
Here is a good read on some of the things that can go wrong: https://jhalderm.com/pub/papers/dcvoting-fc12.pdf