search

rstudio / shiny-server

Host Shiny applications over the web.
https://rstudio.com/shiny/server
Other
723 stars 289 forks source link

"running as root unnecessarily" despite config #161

Open r2evans opened 9 years ago

r2evans commented 9 years ago

Summary

I think the config file says to run as a specific user, but the logs (et al) report running as root.

Similar perhaps to #153, but that seems to be more address-in-use though it also shows this problem.

Expected

Based on the config file (below), I would expect ps to report the owning user as "shiny".

Actual

The logfile, ps, and netstat all report the process running as root.

Context

Installed on a clean Ubuntu 14.04.3 amd64 (server), shiny-server-1.4.1.759. I believe it's a standard install, direct, nothing changed. The user "shiny" is in the passwd file, and root can su shiny without problem. Nothing in the home directory has been altered, and the three files (.bash_logout, .bashrc, .profile) are straight copies from /etc/skel/. There are no other log entries indicating other errors.

This is a relatively-stock ubuntu server, very little personalized. I appreciate any guidance you can offer, sorry if this is a repeat to something I didn't find.

$ cat /etc/shiny-server/shiny-server.conf

# Instruct Shiny Server to run applications as the user "shiny"
run_as shiny;
# Define a server that listens on port 3838
server {
  listen 3838;
  # Define a location at the base URL
  location / {
    # Host the directory of Shiny Apps stored in this directory
    site_dir /srv/shiny-server;
    # Log all Shiny output to files in this directory
    log_dir /var/log/shiny-server;
    # When a user visits the base URL rather than a particular application,
    # an index of the applications available in this directory will be shown.
    directory_index on;
  }
}

$ tail -5 /var/log/shiny-server.log

[2015-11-30 18:28:14.005] [INFO] shiny-server - Shiny Server v1.4.1.759 (Node.js v0.10.40)
[2015-11-30 18:28:14.008] [INFO] shiny-server - Using pidfile /var/run/shiny-server.pid
[2015-11-30 18:28:14.009] [INFO] shiny-server - Using config file "/etc/shiny-server/shiny-server.conf"
[2015-11-30 18:28:14.072] [WARN] shiny-server - Running as root unnecessarily is a security risk! You could be running more securely as non-root.
[2015-11-30 18:28:14.076] [INFO] shiny-server - Starting listener on 0.0.0.0:3838

$ ps faxu | grep shiny-server

root     44924  1.3  2.0 705240 41048 ?        Ssl  18:28   0:00 /opt/shiny-server/ext/node/bin/shiny-server /opt/shiny-server/lib/main.js --pidfile=/var/run/shiny-server.pid

$ netstat -antpe | grep shiny-server

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 0.0.0.0:3838            0.0.0.0:*               LISTEN      0          131266      44924/shiny-server
hcraT commented 8 years ago

Hi, if you read the comment above the run_as option it states that the option is used when running apps. This option is not used in order to launch the server for the server. I think that the name of the option can be a bit misleading (without reading the comment). What the log line complaining about the server being run as root means is that the configuration you are using can be safely run without root privileges.

In order to launch the service as a shiny user you need to change the /etc/init/shiny-server.conf configuration in this way:

# shiny-server.conf
env LANG='en_US.UTF-8'

description "Shiny application server"

setuid shiny # <---
setgid shiny # <---

start on runlevel [2345]
stop on runlevel [016]

limit nofile 1000000 1000000

post-stop exec sleep 3

post-start script
    i=0
    while [ $i -lt 5 ]
    do
        pgrep "shiny-server" || exit 1
        sleep 1
        i=$((i+1))
    done
end script

# Here you need to change the default pidfile and log file location to a place where the shiny user can write
exec shiny-server --pidfile=/var/run/shiny-server/shiny-server.pid >> /var/log/shiny-server/shiny-server.log 2>&1

respawn limit 3 30

respawn

if you are using upstart > 1.4.

Otherwise you need to change the exec shiny-server line in this way (this is not tested):

exec su -s /bin/sh -c 'exec "$0" "$@  >> /var/log/shiny-server/shiny-server.log 2>&1"' shiny -- shiny-server --pidfile=/var/run/shiny-server/shiny-server.pid

In order to create a writable location for the shiny process running as shiny user you need to create the following additional upstart script as well:

start on starting shiny-server

task

env PIDDIR=/var/run/shiny-server

exec install -o shiny  -g shiny -d $PIDDIR

the task of this is to create a writable folder for the shiny user before starting the other process (/var/run is mounted in memory and so folders are not persistent there).

In some cases shiny needs to run as a privileged user and you can find a list here.

r2evans commented 7 years ago

I understand the need for root privileges in the linked document, and without them there is no need for root. I see that dropping unnecessary privilege is restricted to shiny pro; I understand the model for keeping some features behind a pay-wall, but I suggest that a security incident in the open-source release (even without your professional support) could smear across your paid version as well.

Please consider adding the privilege-drop functionality to the open-source version.

EHJ-52n commented 6 years ago

I am running shiny-server Shiny Server v1.5.8.921 with Node.js v8.11.3 under Debian GNU/Linux 9.5 (stretch) as user shiny with the following systemd unit:

[Unit]
Description=ShinyServer

[Service]
Type=simple
ExecStart=/usr/bin/env bash -c 'su --shell /bin/bash --login --command "/opt/shiny-server/bin/shiny-server --pidfile=/var/run/shiny-server/shiny-server.pid >> /var/log/shiny-server/shiny-server.log 2>&1" shiny'
KillMode=process
ExecReload=/usr/bin/env kill -HUP $MAINPID
ExecStopPost=/usr/bin/env sleep 5
Restart=on-failure
RestartSec=1
StartLimitInterval=45
StartLimitBurst=3

[Install]
WantedBy=multi-user.target

Hope this helps.

baderstine commented 5 years ago

Section 2.3.2 of the help (https://docs.rstudio.com/shiny-server/#running-shiny-server-with-root-privileges) states:

"By default, the shiny-server process will be started as the root user, then will spawn R processes according to the corresponding run_as setting. You can, however, run the shiny-server process as a non-privileged user such as the shiny user if none of the limitations above are violated."

but does not specify how to accomplish this. We are running on CentOS. There is no /etc/init/shiny-server.conf file. Looks like there's some Environment Variables that I can set here: /etc/systemd/system/shiny-server.service? Seems weird not to specify how to change this in the docs?

Why not set the default to run as 'shiny' user, if that is the safer option?

Pigeo commented 1 year ago

If you stop running shiny-server as root, also don't forget to do sudo chown shiny:shiny /var/log/shiny-server.log otherwise shiny-server won't be able to write into this file anymore, and you won't see any further errors. (you may also need to do that on /var/run/shiny-server/shiny-server.pid if you have such file)