Arch Linux

nate56

Member

Registered: 2009-02-15

Posts: 8

Running daemons as corresponding users

Hi, as long as I understand, the point in running, say, Apache as user 'http' (which owns only apache's files and webapps' files) is that if somebody executes malicious code inside the server code (using a bug in it or smt like that), it cannot affect system files, since user 'http' has no permissions to do so. Well, that seems pretty effective for security...

BUT I'm working with Ruby On Rails now, and decided to use nginx+Passenger for deployment of my app. Since it's the first time I setup a production-ready linux server, I've never though about security before. And, to my disaster, whenever I try to run nginx as my own user ('nate' of group 'users' if that matters) it requires root privileges, or at least I think so because it says that permission was denied to bind onto local IP-address (and it starts successfully as root).

The same actually applies to MySQL, it starts only as root also (despite the fact that everything it needs to work is owned by its user, 'mysql').

So the question is - is this the way it should work? Or do I miss something important about servers and users, because running potentially buggy software as root is obviously a security risk?

Thanks in advance.

pyther

Member

Registered: 2008-01-21

Posts: 1,395

Website

Re: Running daemons as corresponding users

From my understanding the processes start as root and then get dropped to user privileges.

I believe that any ports below 1024 require root privalges in order for a service to bind to them (http, postfix, imap, etc...)

Hopefully someone with a bit more knowledge can pipe in.

---

Website - Blog - arch-home
Arch User since March 2005

nate56

Member

Registered: 2009-02-15

Posts: 8

Re: Running daemons as corresponding users

First of all, thanks for the reply.

From my understanding the processes start as root and then get dropped to user privileges.

But they still appear in 'ps ax' output as if they are running as root..

I believe that any ports below 1024 require root privalges in order for a service to bind to them (http,
postfix, imap, etc...)

MySQL uses port 3306..

So we definately need someone with more knowledge to pipe in

nate56

Member

Registered: 2009-02-15

Posts: 8

Re: Running daemons as corresponding users

I believe that any ports below 1024 require root privalges in order for a service to bind to them (http, postfix, imap, etc...)

Well, I checked that, and it seems like it's true. Maybe I've just setup something wrong with mysql.
But still, can somebody comment on this issue?
Is it even possible to run web server without root privileges?

pyther

Member

Registered: 2008-01-21

Posts: 1,395

Website

Re: Running daemons as corresponding users

dovecot   2516  0.0  0.1   3596  1464 ?        S    Nov30   0:00 managesieve-login
dovecot  15941  0.0  0.1   3596  1580 ?        S    14:55   0:00 imap-login
dovecot  15961  0.0  0.1   3596  1584 ?        S    14:56   0:00 imap-login
dovecot  15987  0.0  0.1   3596  1584 ?        S    14:58   0:00 imap-login
dovecot  28533  0.0  0.1   3596  1464 ?        S    Nov30   0:00 managesieve-login
dovecot  28586  0.0  0.1   3596  1460 ?        S    Nov30   0:00 managesieve-login
root     28527  0.0  0.0   1948   672 ?        Ss   Nov30   0:03 /usr/sbin/dovecot
vmailer  28529  0.0  0.2   9072  2144 ?        S    Nov30   0:01 dovecot-auth
vmailer  28530  0.0  0.2   8940  2368 ?        S    Nov30   0:00 dovecot-auth -w

mysql     1538  0.0  1.7 116724 18176 ?        Sl   Nov22   5:59 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/lib/mysql/mongo.err --pid-file=/var/lib/mysql/mongo.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
root      1440  0.0  0.0   2852   892 ?        S    Nov22   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql

As you can see there is one root process which spawned a child process. You can read about mysqld_safe which root runs. From what I understand the root process will read the config (/etc/mysql/my.cnf [owned by root]) and than pass everything on to the mysqld process which is owned by mysql. Also when a daemon gets started (in rc.conf) it is being started as root. So in instance I have ddclient running as root, as I started the daemon at boot and the program doesn't support the ability to drop permissions to other users.

Last edited by pyther (2009-12-03 20:10:06)

---

Website - Blog - arch-home
Arch User since March 2005

hexanol

Member

From: Canaduh

Registered: 2009-08-04

Posts: 95

Re: Running daemons as corresponding users

What about using "sudo" to start a process as a less privileged user ?

pyther

Member

Registered: 2008-01-21

Posts: 1,395

Website

Re: Running daemons as corresponding users

Well you could do

su -c 'echo hi' pyther

you really wouldn't use sudo for this...

---

Website - Blog - arch-home
Arch User since March 2005

nate56

Member

Registered: 2009-02-15

Posts: 8

Re: Running daemons as corresponding users

What about using "sudo" to start a process as a less privileged user ?

As far as I know sudo starts programs as root.
So I suppose the answer to this problem - it depends on application implementation, isn't it? For example, some server that listens on port lower than 1024 must be started as root to bind on it, but it may drop permissions to other user if it supports it.
If it's correct, then the problem is solved

Last edited by nate56 (2009-12-04 05:32:49)

hexanol

Member

From: Canaduh

Registered: 2009-08-04

Posts: 95

Re: Running daemons as corresponding users

sudo executes a command as another user. You can specify which user with the '-u' option. So, let's say, if you want to start ddclient (which doesn't bind to any reserved ports since it doesn't even listen for incoming connections if I remember correctly) as user "ddclient" (which let's say has only write access to /var/cache/ddclient), then, instead of just having a command "ddclient some_options" you have "sudo -u ddclient ddclient some_options". And that should make your new ddclient process runs as user ddclient instead of your current user.

I did not test it (and I don't have ddclient installed on my current computer), but I guess that could work, would it ?

nate56

Member

Registered: 2009-02-15

Posts: 8

Re: Running daemons as corresponding users

Yeah, that should work I think.
"sudo -u user command" is actually a synonym for "su -c "command" user", where user is root by default. The only difference is that for sudo you must specify password of current user (from which you are executing it), where for su you specify password of user that you want to execute command as.