5

I installed shiny server in a virtual machine (ubuntu server 14.04.4 in VirtualBox)

shiny-server --version

Shiny Server v1.4.2.786
Node.js v0.10.40

All in all the server runs nicely and starts apps as intended.

The only thing I'm missing and failing to achieve is that shiny server is running as an unprivileged user. I even completely set up a new VM and shiny server to make sure no trial config changes still take effect.

I changed my config to not contain any folders one needs root permissions for:

$ cat /etc/shiny-server/shiny-server.conf
# Instruct Shiny Server to run applications as the user "shiny"
run_as shiny;

# Define a server that listens on port 3838
server {
  listen 3838;

  # Define a location at the base URL
  location / {

    # Host the directory of Shiny Apps stored in this directory
    # site_dir /srv/shiny-server;
    site_dir /home/shiny/shiny_sitedir/apps; 

    # Log all Shiny output to files in this directory
    # log_dir /var/log/shiny-server;
    log_dir /home/shiny/shiny_sitedir/logs;

    # When a user visits the base URL rather than a particular application,
    # an index of the applications available in this directory will be shown.
    directory_index on;
  }
}


# privileges of shiny user
uid=1000(shiny) gid=1000(shiny) groups=1000(shiny),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)

# owner of /etc/shiny-server
-rw-r--r--  1 root root shiny-server.conf

# trying to start shiny server as user shiny without sudo
$ start shiny-server 
start: Rejected send message, 1 matched rules; type="method_call", sender=":1.6" (uid=1000 pid=1134 comm="start shiny-server ") interface="com.ubuntu.Upstart0_6.Job" member="Start" error name="(unset)" requested_reply="0" destination="com.ubuntu.Upstart" (uid=0 pid=1 comm="/sbin/init ")

The server log tells me the same I see from the htop output that shiny server runs as root. (A side note: shiny server still uses /var/log/shiny-server.log instead of /home/shiny/shiny_sitedir/logs, which annoys me as well)

[...] [INFO] shiny-server - Shiny Server v1.4.2.786 (Node.js v0.10.40)
[...] [INFO] shiny-server - Using pidfile /var/run/shiny-server.pid
[...] [INFO] shiny-server - Using config file "/etc/shiny-server/shiny-server.conf"
[...] [WARN] shiny-server - Running as root unnecessarily is a security risk! You could be running more securely as non-root.
[...] [INFO] shiny-server - Starting listener on 0.0.0.0:3838

The shiny server documentation http://docs.rstudio.com/shiny-server/#running-shiny-server-with-root-privileges ships out a list of requirements to be fulfilled for non-root usage. Actually it defines states in which the shiny server needs to run as root:

  1. If user_apps or user_dirs is enabled for any location. In order to host applications as various users, Shiny Server must have root privileges.
    • check. My shiny-server.conf neither uses user_apps nor user_dirs
  2. If your configuration uses run_as to spawn applications as multiple different users.
    • check. run_as defines shiny as the only user
  3. If you're running any server on a privileged port (a port in the range of 1-1024).
    • check. shiny server listens on port 3838

Although I think the installation fulfils the requirements shiny server still runs as root.

  • How do I force shiny server to run as shiny user or even an user not part of the sudoers group?
  • Does the shiny-server.conf need to locate anywhere else?
  • How would I make shiny-server aware of this new location then?
  • Do I need to change anything in /opt/shiny-server/config/ or any permissions on /etc/shiny-server/?

Edit after a comment by @warmoverflow I moved /etc/init/shiny-server.conf to ~/.init. Now, shiny server does not start automatically at boot up. But neither does start shiny-server succeed, because upstart is not aware of the ~/.init folder. From some forum posts it seems that dbus needs start, which it usually does by starting a graphical environment. As I'm running Ubuntu server this doesn't happen. Creating the two files mentioned in the upstart manual http://upstart.ubuntu.com/cookbook/#session-init doesn't help either, because the jobs fail to start.

Does anybody have a hint how to proceed or where I could find some information?

sargas
  • 538
  • 1
  • 5
  • 12
  • The issue here is that the `start` command has to be run as root, even though the actual service it launched is run as a non-root user. There is a way you can run `start` without root, but you need to modify your `upstart` configuration file, if you are comfortable doing that. See http://blog.arkency.com/2014/07/ruby-background-processes-with-upstart-user-jobs/ – Xiongbing Jin Mar 24 '16 at 20:41
  • @warmoverflow: Thanks for the hint. I think i proceeded one step, but now I am stuck again - I added an edit to document what i did. – sargas Mar 29 '16 at 11:25

3 Answers3

4

If your only goal is to ensure that shiny-server is running as non-root, and you are okay with start shiny-server using sudo (even if it's started with sudo, it can be running as a non-root user).

Edit /etc/init/shiny-server.conf, and

  1. Add the following two lines at the beginning

    setuid shiny
setgid shiny

  2. Change the 3rd last line to 

    exec shiny-server --pidfile=/home/shiny/shiny-server.pid >> /home/shiny/shiny-server.log 2>&1

Note that Shiny has two default log file locations.

  1. /var/log/shiny-server.log contains the logs for the server itself, and is defined in /etc/init/shiny-server.conf

  2. /var/log/shiny-server/ is the folder that contains log files for your applications, and is defined in /etc/shiny-server/shiny-server.conf.

Once you made the changes above and also changed the run_as user, start shiny-server again with sudo start shiny-server, and you'll notice that shiny-server is in fact running as the non-root user, and the warning in the log file will be gone too.

Xiongbing Jin
  • 11,779
  • 3
  • 47
  • 41
  • I was already very close, but yet so far away. The second point is crucial! My `/etc/init/shiny-server.conf` had almost everything, lacking the second hint, which makes the shiny-server not starting. Thanks a lot! – sargas Mar 30 '16 at 16:54
  • 1
    Just to be clear, it's important to add this to /etc/init/shiny-server.conf, not the similarly named /etc/shiny-server/shiny-server.conf :) The answer here states this correctly, it was just a small confusion for me – Colin D Jul 17 '17 at 20:22
  • Revisiting again to say that the "step 2" of changing to /home/shiny/shiny-server.pid is actually important. Otherwise shiny will fail to startup especially noticeable after reboots (I was using `sudo service shiny-server restart` repeatedly but on reboot it wouldn't startup. Only after changing the pidfile location would shiny-server startup on reboot) – Colin D Jul 21 '17 at 17:45
4

I'm running Shiny Server v1.4.4.801 (Node.js v0.10.46). On this version shiny initialization is done via systemd.

To run shiny as a non-root one have to edit /etc/systemd/system/shiny-server.service file. Add setuid shiny and setgid shiny commands to ExecStart like this:

ExecStart=/bin/bash -c 'setuid shiny; setgid shiny; /opt/shiny-server/bin/shiny-server --pidfile=/var/run/shiny-server.pid >> /var/log/shiny-server.log 2>&1'

Now, one can start shiny server by typing systemctl start shiny-server.service.

Type systemctl enable shiny-server.service to autostart shiny-server on reboot.

Sergey
  • 1,166
  • 14
  • 27
3

Here's another way to do this with systemd, if you're willing to run shiny server on a higher port number (> 5000).

Run systemctl edit shiny-server.service and add:

[Service]
User=shiny
Group=shiny
UMask=027

Then systemctl stop shiny-server.service and edit /etc/shiny-server/shiny-server.conf and change it to listen 8383;.

If you haven't already, do:

chown -R shiny:shiny /var/log/shiny-server* /etc/shiny-server
chmod -R u+rwX,g+rX,o-rwx /var/log/shiny-server* /etc/shiny-server

Start the service and it should be running as the service account user/group.

Mike Gleason
  • 3,439
  • 1
  • 14
  • 7