What is the best practice for launching a web server as a restricted user?

Question

In order to practice my Linux hardening skills, I am trying to launch a web server following certain security principles. My main goal would be to run the server using a dedicated user with very limited privileges. I thought this might be a good use case for creating a server user with the /usr/sbin/nologin shell.

But how would I then be supposed to launch the server? When trying to launch a simple command using su, I am getting an error, even when using -s to specify a valid shell:

I guess this is the expected behaviour for a user with nologin shell, but how could that user then launch a server? Should there be some sudo rules for instance?

For information, my server is a simple Flask server that launches using a simple wrapper sh script.

Answer 1

I installed the web servers nginx and apache2 on SUSE, Ubuntu and Debian. Never were they running as root or so, always as www-data or wwwrun. I describe the setup step-by-step at https://try-linux.blogspot.com/2020/10/a-new-look-for-linuxintroorg.html but as said, it will rather be hard to do it wrong. Some hints from my command line, the worker is running as www-data:

# ps -ef|grep nginx
root      1923     1  0 Nov13 ?        00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data  1924  1923  0 Nov13 ?        00:09:29 nginx: worker process
www-data  1925  1923  0 Nov13 ?        00:00:02 nginx: worker process
root     22679 22074  0 12:32 pts/0    00:00:00 grep nginx
# cat /etc/passwd|grep www-data
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin