I want to have a flexible setup (will need to run Redis, Celery, and uWSGI), but I'm wondering whether or not it's a bad idea to run Supervisor as root (the default), and if so, why it is bad.
Asked
Active
Viewed 1,470 times
0
orokusaki
- 2,763
- 4
- 32
- 43
1 Answers
2
Supervisor is happy to run as root and change the user of the processes you run for you. However, supervisor may open network ports for HTTP and XML-RPC connections if you configure it to do so. Having those open makes supervisor theoretically more vulnerable to running as root than e.g. daemontools.
When deploying services (e.g. for a specific project, let's call it 'fancysite') I create a user corresponding to that service ('fancysite') which in turn runs supervisor and also all the specific daemons that make up 'fancysite' but aren't run with the regular init scripts from the system. E.g. I usually run nginx, PostgreSQL and others on system level with whatever the distribution provides and then install things that aren't supported by the distribution into the 'fancysite' user and start and manage them through supervisor.
Theuni
- 958
- 5
- 15
-
Thanks Theuni - I'm confused about the last part of your sentence `... for a service combining all of its daemons.`. Would you mind explaining what you mean? My prior assumption is that I should run Supervisor as `www-data`. – orokusaki Dec 06 '12 at 21:23
-
I hope my last edit cleared it up. :) – Theuni Dec 06 '12 at 21:58