How can I avoid Phusion Passenger running as root?
Question
I updated to Passenger 5.1.11 today and had cause to look at my Apache error logs.
In /var/log/apache2/error.log I found this entry (many times over):
WARNING: potential privilege escalation vulnerability. Passenger is running as root, and part(s) of the passenger root path (/home/jack/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/passenger-5.1.11) can be changed by non-root user(s): The path "/home/jack/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/passenger-5.1.11" can be modified by user "jack" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
I'm running Debian 7 and installed Passenger as a gem. I didn't run any install commands using sudo.
How can I avoid Passenger running as root? I've spent the last couple of hours Googling this, but have come up empty handed.
2 answers
solution1
3 ACCPTED 2017-10-20 19:32:49
Apache starts as root, thus when the Passenger module is loaded it starts as root. In a situation where you are integrating with Nginx or Apache, you are going to find it's much easier to restrict the permissions on the gem dir than it is to run the webserver as a non-root user.
solution2
0 2019-11-25 14:43:18
To expand on the accepted answer:
In a situation where you are integrating with Nginx or Apache, you are going to find it's much easier to restrict the permissions on the gem dir than it is to run the webserver as a non-root user.
From https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html
The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them.
Meaning that if you want to run a web server (typically on port 80 or 443), you should run it as root.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.