When running a Unicorn server on Linux I am debating whether to run the service under a system or normal user. Which one should I use and why?
Asked
Active
Viewed 141 times
0
-
Just to let you know. This question isn't directly about programming, but is about running software, so in future it's best asked on the sister site ServerFault, instead of StackOverflow. Don't worry right now - we're going to get it moved over there automatically, but I just thought I'd let you know that for the future. – Taryn East Jan 31 '12 at 17:05
1 Answers
1
"System user" is a very ambiguous statement.
Regardless, a general rule of thumb is to give each service its own specific user, and that user should only have permissions to its own application space (i.e., your apache user shouldn't be able to mess with what your bind user controls, and vice versa). Moreover, those users shouldn't have any "system" permissions of any kind.
The reasoning here is that, in the event that a service application were to be somehow compromised (or just try to do something undesirable/dumb by itself), you don't want it to have the ability to modify anything other than itself. You want to keep it as isolated as possible from the rest of the system.
The user Flimzy on SuperUser explains this in a little more detail.
Christopher Neylan
- 477
- 5
- 13