Security best practice when running process as non-root user

Question

So I'm trying to run Supervisor (http://supervisord.org/) as a non-root user. However the process outputs logs to the /var/log directory which is owned by root and has 755 permissions. Therefore starting the process as a non-root user throws a permission denied error. What is a best practice for solving this issue? One idea I have is to recursively change the group of the /var directory to that of the user which is starting the supervisor process, and giving the /var directory 775 permissions. Is this acceptable from a security standpoint?

score 4 · Answer 1 · answered May 25 '13 at 02:46

4

Try creating the log files and using chown to change the ownership to the appropriate user. If possible change the log location to a subdirectory owned by the appropriate user.

I use logrotate to rotate logs periodically. It can handle permissions when rotating logs.

answered May 25 '13 at 02:46

BillThor

27,737
3
37
69

So you will typically move the logs to a subdirectory of that user's home? – Justin Meltzer May 25 '13 at 03:03
1

I would move the logs to a subdirectory of /var/log. In this case /var/log/supervisord. – BillThor May 25 '13 at 03:12
But doesn't that user need permissions to access `/var/log` then? – Justin Meltzer May 25 '13 at 03:30
No, the user just needs `write` access to `/var/log/supervisord`. – BillThor May 25 '13 at 03:34

score 2 · Answer 2 · answered May 25 '13 at 00:39

2

Use the user= directive in supervisord.conf, so that supervisord starts as root, does any necessary opening of files, and then drops privileges.

answered May 25 '13 at 00:39

Michael Hampton

244,070
43
506
972

How do I get supervisord to drop privileges? – Justin Meltzer May 25 '13 at 00:41
By setting the `user` parameter, as I just said. – Michael Hampton May 25 '13 at 00:41
but if I have `user=root` in the config file, doesn't the user remain as `root`? – Justin Meltzer May 25 '13 at 00:43
Why would you do that?! Aren't you trying to run it as a different user? – Michael Hampton May 25 '13 at 00:44
I'm confused haha. Yes I do want to run it as a different user. Right now I have `user=[non-root user]` already and that is what's causing the problem – Justin Meltzer May 25 '13 at 00:45
You forgot to mention that in your question. At this point you should probably contact the developers. – Michael Hampton May 25 '13 at 00:46
Why? Isn't that expected behavior if the process is run as a non-root user? How is it supposed to work? – Justin Meltzer May 25 '13 at 00:48

score 0 · Answer 3 · answered May 25 '13 at 05:07

If you haven't already, you could create a user specifically to run supervisord, and use an ACL to give that user write privileges in /var/log.

setfacl -m u:$USER:rwx /var/log

You can also do things like make your supervisord user a member of sys. (I think, I don't have a linux box nearby to verify that the /var/log group has write privileges.)

Security best practice when running process as non-root user

3 Answers3