Phusion Passenger can't run as root - WARNING: potential privilege escalation vulnerability

Question

Hi I'm trying to deploy my rails app to VPS via passenger and apache2 but im getting error

   [ W 2018-02-14 21:02:37.0342 9640/T1 age/Cor/CoreMain.cpp:969 ]: WARNING: potential privilege escalation vulnerability. Phusion Passenger is running as root, and part(s) of the passenger root path (/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0) can be changed by non-root user(s):
    The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
    The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0" is writeable by any user (or application). Limit write access on the path to only the root user/group.
    The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
    The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
    The path "/home/deploy/.rvm/gems" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
    The path "/home/deploy/.rvm" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
    The path "/home/deploy" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.

I try to change privileges but it didnt work with

sudo chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0

and

sudo chown root:root /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0

i even find issue with the same problem but i dont know how to fix it ... How can I avoid Phusion Passenger running as root?

Answer 1

Passenger author here. Another thing you can do is to install your RVM Ruby as well as Passenger with root, instead of as user "deploy". That way your Ruby installation and Passenger installation are owned by root and you won't see this warning.

Or even better: use our native Debian/Ubuntu/CentOS packages.

Answer 2

I also wanted to offer some insight. @ Hongli's answer isn't all of it. @ Taryn East is correct. Even if you chown every dir you also need to chmod every dir in order for Passenger to work correctly.

In your example you need to:

chmod 700 /home/deploy/.rvm
chmod 700 /home/deploy/.rvm/gems/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0