I made a WEB application using Bottle and want to publish it. I decided to use paste
for the web server because official document said it’s the easiest way.
In order to let the web server process listen on the port 80, the process must be launched by the root user. I’m not a security expert and can not judge that it’s safe to use the root user for launching an application that is exposed to the internet directly.
Shall I avoid using root user in such a situation ?
Advertisement
Answer
No.
Do not run your web server as root
.
Shall I avoid using root user in such a situation?
Yes, avoid running as root
.
In order to let the web server process listen on the port 80
Your web server does not need to listen on port 80. One common way to structure this is to put a proxy (like a load balancer) in front of your web server. Your server listens on a non-privileged port (e.g. 8000); the load balancer (which is listening on port 80) forwards all requests to your server.
The accepted answer (which does not actually answer your question) merely mentions chroot
, but I suggest that you not worry about that. Running as a non-privileged user is a much more important safeguard than using chroot
. I would consider chroot
to be secondary to your initial, quite legitimate, concerns over running as root
.