如何避免以 root 身份使用 Phusion Passenger 运行?
How can I avoid Phusion Passenger running as root?
我今天更新到 Passenger 5.1.11 并有理由查看我的 Apache 错误日志。
在 /var/log/apache2/error.log 中我找到了这个条目(多次):
WARNING: potential privilege escalation vulnerability. Passenger is
running as root, and part(s) of the passenger root path (/home/jack/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/passenger-5.1.11) can be changed by non-root user(s): The path
"/home/jack/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/passenger-5.1.11" can be modified by user "jack" (or applications running as that
user). Change the owner of the path to root, or avoid running
Passenger as root.
我运行正在使用 Debian 7 并将 Passenger 安装为 gem。我没有 运行 任何使用 sudo 的安装命令。
如何避免以 root 身份使用 Passenger 运行ning?我花了最后几个小时谷歌搜索这个,但空手而归。
Apache 以 root 身份启动,因此当加载 Passenger 模块时,它以 root 身份启动。在与 Nginx 或 Apache 集成的情况下,您会发现限制 gem 目录的权限比 运行 作为非根用户的网络服务器要容易得多。
扩展已接受的答案:
In a situation where you are integrating with Nginx or Apache, you are going to find it's much easier to restrict the permissions on the gem dir than it is to run the webserver as a non-root user.
来自https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html
The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them.
这意味着如果你想 运行 一个网络服务器(通常在端口 80 或 443 上),你应该 运行 它作为根。
我今天更新到 Passenger 5.1.11 并有理由查看我的 Apache 错误日志。
在 /var/log/apache2/error.log 中我找到了这个条目(多次):
WARNING: potential privilege escalation vulnerability. Passenger is running as root, and part(s) of the passenger root path (/home/jack/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/passenger-5.1.11) can be changed by non-root user(s): The path "/home/jack/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/passenger-5.1.11" can be modified by user "jack" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
我运行正在使用 Debian 7 并将 Passenger 安装为 gem。我没有 运行 任何使用 sudo 的安装命令。
如何避免以 root 身份使用 Passenger 运行ning?我花了最后几个小时谷歌搜索这个,但空手而归。
Apache 以 root 身份启动,因此当加载 Passenger 模块时,它以 root 身份启动。在与 Nginx 或 Apache 集成的情况下,您会发现限制 gem 目录的权限比 运行 作为非根用户的网络服务器要容易得多。
扩展已接受的答案:
In a situation where you are integrating with Nginx or Apache, you are going to find it's much easier to restrict the permissions on the gem dir than it is to run the webserver as a non-root user.
来自https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html
The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them.
这意味着如果你想 运行 一个网络服务器(通常在端口 80 或 443 上),你应该 运行 它作为根。