Shiny Server running as root even when I used "run_as shiny"

[Abhijit Sahay]

Hi:

I am using the default config file for Shiny Server which instructs the server to be run as user "shiny", but the server still comes up as root.  Here is my config file:

-----------------------

# Instruct Shiny Server to run applications as the user "shiny"

run_as shiny;

# Define a server that listens on port 3838

server {

  listen 3838;

  # Define a location at the base URL

  location / {

    # Host the directory of Shiny Apps stored in this directory

    site_dir /srv/shiny-server;

    # Log all Shiny output to files in this directory

    log_dir /var/log/shiny-server;

    # When a user visits the base URL rather than a particular application,

    # an index of the applications available in this directory will be shown.

    directory_index on;

  }

}

-------------------------

and the warning in my log file:

[2014-09-02 10:46:03.531] [WARN] shiny-server - Running as root unnecessarily is a security risk! You could be running more securely as non-root.

Thanks for any help,

Abhijit Sahay

[Fereshteh Karimeddini]

Abhijit,

There are ways you can run the server as non-root.

1- If based on your config file you want to run the server as "shiny" user, you need to login as that user and then run "opt/shiny-server/bin/shiny-server". This is not using Upstart. 

2- If you want to use Upstart, then you need to make changes to the Upstart file (/etc/init/shiny-server.conf) file. Change the "exec" command to something like this for example:

exec su -s /bin/sh -c 'exec "$0" "$@"' shiny -- shiny-server --pidfile=/var/run/shiny/shiny-server.pid >> /var/log/shiny-server.log 2>&1

For this example, it is assuming a pid file is being generated in /var/run/shiny directory. So you need to create this directory and give it write permission to "shiny" user. And then you can use the Upstart commands to stop and start your server (sudo stop shiny-server  OR sudo start shiny-server).

And remember when server process is not run as root, you might run into permissions issues with some other files/directories. Refer to the Admin Guide for more info on this.

Best,

Fereshteh

[Jeff Bruce]

I would like to do this as well but can't quite figure out how.  I've spent a couple of hours trying different permutations and have done a bit of reading into the Admin Guide, but have had no such luck.  Obviously it seems desirable NOT to run the server as root, just as an apache server is recommended NOT to be run as root, and in fact is run as www-data using the default configuration.

I created a 'shiny' Linux user (the user does not have root privileges) and modified /etc/init/shiny-server.conf to be as you suggested, and my /etc/shiny-server/shiny-server.conf is identical to the OP, with an addition that I am also listening on a specific IP.  I tried creating a /var/run/shiny directory and giving it full rwx access for ugo.  As far as I can tell, I have no shiny-server.pid, and there is no reference to this file in the Admin Guide, so it's hard to even figure out what's going on in your exec command.  When I access my app, I get the following error:

{ [Error: ENOENT, open '/var/log/shiny-server/ClusterMouseAutism-shiny-20150514-165139-42979.log']
  errno: 34,
  code: 'ENOENT',
  path: '/var/log/shiny-server/ClusterMouseAutism-shiny-20150514-165139-42979.log' }
Error: ENOENT, open '/var/log/shiny-server/ClusterMouseAutism-shiny-20150514-165139-42979.log'
This referenced log file does not exist when I navigate to that directory.

Furthermore, as far as I understand it, Upstart will automatically start shiny-server when the machine boots, right?  (I'm on Ubuntu 14.04).  I have the problem that when I start shiny-server using the user shiny, I can't use sudo obviously because the user shiny doesn't have sudo privileges, and if I start shiny-server with another user WITH sudo privileges, then the server doesn't even appear when I look at running processes using top.  Basically I just want to be able to use Upstart using the shiny user to manage the state of shiny-server.

Do you have any additional guidance you can give here?

Thanks!

Thanks.

[Jeff Bruce]

Actually, for security purposes, shouldn't the server be run as a different user than the users connecting to it?  Users connect to the server as user 'shiny', and I've created a user account called 'shiny-server' that I hope to use to start the server.

Any help here would be appreciated since these security issues are new to me.

[Fereshteh Karimeddini]

Jeff,

For the error you mentioned above, check the permissions on this directory: /var/log/shiny-server

Fereshteh