What are the benefits of running a app server in user space, like Unicorn, as opposed to as sudo?

Question

I've been using Phusion Passenger + Rails/Sinatra for a lot of projects. Passenger runs under the main Nginx or Apache process.

But I'm interested in Unicorn, partly because it runs in user space. You just set up Nginx to proxy_pass requests to a unix socket that is connected to Unicorn processes that you fire up under a normal user account.

Is there anything to be said as far as advantages and disadvantages of these two alternative approaches to running an web app? I mean in terms of ease of administration, stability, simplicity, etc.

Answer 1

I say root here when you say sudo - sudo elevates a user to root privileges, but essentially its the same.

Well, low numbered ports are only available to root users, so in many cases running an application as a regular user may need some firewall changes.

With userspace you have the option of better compartmentalisation (at the minimum per application/stack users so you can set up everything in one place and move it between systems easily), or even chroot. In general avoiding running things as root is good (many applications drop down to 'nobody' upon starting to avoid running as root) since if a process running as root is compromised, you may have an attacker get root privileges.

Running as a regular user is generally better for security, IMO but really depends on your application.

Answer 2

Well, Phusion/Nginx/Unicorn all run on user space and kernel space, I think you wanted to say running it as unprivileged user versus privileged/root user. There are some advantages on that:

1. More security, if your app does something stupid it can't access critical parts of the server
2. Portability, the app is compartmentalized on a single space.
3. If you use rails you probably use capistrano for the deploy, that means that you can start the unicorn process directly from the deploy process without needing a sudo

Aside from that, I suggest you to use Unicorn's socket option with Nginx, that simplifies a little the deployment process, and read the document about deploying without needing to fully restart the app server

Answer 3

As coredump said, what you meant is running as a privileged user vs as a regular user. But Phusion Passenger most definitely does not run as a privileged user.

• All application processes spawned by Phusion Passenger are run as regular users. More specifically, as the user that owns config/environment.rb or config.ru, not as the Apache/Nginx user. This is part of the "User Switching" feature, which Phusion Passenger has had since version 1.0.
• With Unicorn, you have to manually start processes as the desired user. Phusion Passenger automatically takes care of this for you.
• Phusion Passenger absolutely refuses to run any application processes as root. You cannot override this behavior. Phusion Passenger takes security very seriously so it has added this security precaution.
• Apache/Nginx do not run as privileged users. On most systems they are configured to run under the www-data account.
• There are some Phusion Passenger helper processes which run as root so that they can spawn processes as other users, but you can disable this by turning user switching off, in which case all Phusion Passenger processes (including app processes) run a user account that you specify.

Phusion Passenger is simpler to administer and to install than Unicorn because it automates more things for you. Phusion Passenger is very stable because of its watchdog architecture. It watches over its internal helper processes and restarts them if any of them fail. Phusion Passenger is used by over 150,000 websites including large brand names such as Pixar, the New York Times, AirBnB, Oakley and Symantec. The upcoming Phusion Passenger 4 will add a bunch more stability- and reliability-related features.