What is the best practice for launching a web server as a restricted user?

paupaulaz

4/11/23, 9:05 AM

In order to practice my Linux hardening skills, I am trying to launch a web server following certain security principles. My main goal would be to run the server using a dedicated user with very limited privileges. I thought this might be a good use case for creating a server user with the /usr/sbin/nologin shell.

But how would I then be supposed to launch the server? When trying to launch a simple command using su, I am getting an error, even when using -s to specify a valid shell:

I guess this is the expected behaviour for a user with nologin shell, but how could that user then launch a server? Should there be some sudo rules for instance?

For information, my server is a simple Flask server that launches using a simple wrapper sh script.

0 + 0

security

linux

web

restrictions

Greg W

4/11/23, 12:50 PM

If it needs to listen on ports < 1024 it needs to initially run as root. Apache and Nginx do this then essentially change the user they run as to a non-root user.

Score:0

Server

Thorsten Staerk

4/11/23, 12:33 PM

I installed the web servers nginx and apache2 on SUSE, Ubuntu and Debian. Never were they running as root or so, always as www-data or wwwrun. I describe the setup step-by-step at https://try-linux.blogspot.com/2020/10/a-new-look-for-linuxintroorg.html but as said, it will rather be hard to do it wrong. Some hints from my command line, the worker is running as www-data:

# ps -ef|grep nginx
root      1923     1  0 Nov13 ?        00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data  1924  1923  0 Nov13 ?        00:09:29 nginx: worker process
www-data  1925  1923  0 Nov13 ?        00:00:02 nginx: worker process
root     22679 22074  0 12:32 pts/0    00:00:00 grep nginx
# cat /etc/passwd|grep www-data
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

0 + 0

paupaulaz

4/15/23, 5:13 PM

Thanks a lot! I wanted to check how to do this "by hand" with Flask only, but it seems kinda tricky.. I eventually chose to learn docker-compose and now am a proud owner of a server running nginx and flask in separate containers, with only nginx accessible from the outside and forwarding trafic to flask :)

Thorsten Staerk

4/16/23, 3:46 PM

cool, your answer gives the cloud-spin to it, love it :)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is the best practice for launching a web server as a restricted user?

TH: ข้อใดเป็นแนวทางปฏิบัติที่ดีที่สุดในการเปิดใช้เว็บเซิร์ฟเวอร์ในฐานะผู้ใช้แบบจำกัด

RO: Care este cea mai bună practică pentru lansarea unui server web ca utilizator cu restricții?

RU: Каков наилучший способ запуска веб-сервера в качестве ограниченного пользователя?

VI: Phương pháp hay nhất để khởi chạy máy chủ web với tư cách là người dùng bị hạn chế là gì?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.