Is there a security risk in running a web server like Unicorn as root?
The Nginx master process runs as root, the Nginx worker runs as the limited www-data user, but I can't set another user like www-data to run the Unicorn master/workers without messing around with www-data's PATH.
it is absolutely a security risk. It means that if someone were to exploit unicorn into doing something it shouldn't be doing, they get to have root permissions on your box instead of the extremely limited www-data permissions. You should be able to just modify the PATH in the scripts which start unicorn. In any case, modifying a PATH is certainly not as bad as your suggested alternative of running as root.
