sargas sargas - 4 months ago 37
Linux Question

run shiny server as non-root

I installed shiny server in a virtual machine (ubuntu server 14.04.4 in VirtualBox)

shiny-server --version

Shiny Server v1.4.2.786
Node.js v0.10.40


All in all the server runs nicely and starts apps as intended.

The only thing I'm missing and failing to achieve is that shiny server is running as an unprivileged user. I even completely set up a new VM and shiny server to make sure no trial config changes still take effect.

I changed my config to not contain any folders one needs root permissions for:

$ cat /etc/shiny-server/shiny-server.conf
# Instruct Shiny Server to run applications as the user "shiny"
run_as shiny;

# Define a server that listens on port 3838
server {
listen 3838;

# Define a location at the base URL
location / {

# Host the directory of Shiny Apps stored in this directory
# site_dir /srv/shiny-server;
site_dir /home/shiny/shiny_sitedir/apps;

# Log all Shiny output to files in this directory
# log_dir /var/log/shiny-server;
log_dir /home/shiny/shiny_sitedir/logs;

# When a user visits the base URL rather than a particular application,
# an index of the applications available in this directory will be shown.
directory_index on;
}
}


# privileges of shiny user
uid=1000(shiny) gid=1000(shiny) groups=1000(shiny),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)

# owner of /etc/shiny-server
-rw-r--r-- 1 root root shiny-server.conf

# trying to start shiny server as user shiny without sudo
$ start shiny-server
start: Rejected send message, 1 matched rules; type="method_call", sender=":1.6" (uid=1000 pid=1134 comm="start shiny-server ") interface="com.ubuntu.Upstart0_6.Job" member="Start" error name="(unset)" requested_reply="0" destination="com.ubuntu.Upstart" (uid=0 pid=1 comm="/sbin/init ")


The server log tells me the same I see from the htop output that shiny server runs as root. (A side note:
shiny server
still uses
/var/log/shiny-server.log
instead of
/home/shiny/shiny_sitedir/logs
, which annoys me as well)

[...] [INFO] shiny-server - Shiny Server v1.4.2.786 (Node.js v0.10.40)
[...] [INFO] shiny-server - Using pidfile /var/run/shiny-server.pid
[...] [INFO] shiny-server - Using config file "/etc/shiny-server/shiny-server.conf"
[...] [WARN] shiny-server - Running as root unnecessarily is a security risk! You could be running more securely as non-root.
[...] [INFO] shiny-server - Starting listener on 0.0.0.0:3838


The shiny server documentation
http://docs.rstudio.com/shiny-server/#running-shiny-server-with-root-privileges
ships out a list of requirements to be fulfilled for non-root usage. Actually it defines states in which the shiny server needs to run as root:


  1. If user_apps or user_dirs is enabled for any location. In order to host applications as various users, Shiny Server must have root privileges.


    • check. My shiny-server.conf neither uses user_apps nor user_dirs


  2. If your configuration uses run_as to spawn applications as multiple different users.


    • check. run_as defines shiny as the only user


  3. If you're running any server on a privileged port (a port in the range of 1-1024).


    • check. shiny server listens on port 3838




Although I think the installation fulfils the requirements shiny server still runs as root.


  • How do I force shiny server to run as shiny user or even an user not part of the sudoers group?

  • Does the shiny-server.conf need to locate anywhere else?

  • How would I make shiny-server aware of this new location then?

  • Do I need to change anything in
    /opt/shiny-server/config/
    or any permissions on
    /etc/shiny-server/
    ?



Edit after a comment by @warmoverflow I moved
/etc/init/shiny-server.conf
to
~/.init
. Now, shiny server does not start automatically at boot up. But neither does
start shiny-server
succeed, because upstart is not aware of the
~/.init
folder. From some forum posts it seems that dbus needs start, which it usually does by starting a graphical environment. As I'm running Ubuntu server this doesn't happen. Creating the two files mentioned in the upstart manual
http://upstart.ubuntu.com/cookbook/#session-init
doesn't help either, because the jobs fail to start.

Does anybody have a hint how to proceed or where I could find some information?

Answer

If your only goal is to ensure that shiny-server is running as non-root, and you are okay with start shiny-server using sudo (even if it's started with sudo, it can be running as a non-root user).

Edit /etc/init/shiny-server.conf, and

  1. Add the following two lines at the beginning

    setuid shiny
    setgid shiny
    
  2. Change the 3rd last line to

    exec shiny-server --pidfile=/home/shiny/shiny-server.pid >> /home/shiny/shiny-server.log 2>&1
    

Note that Shiny has two default log file locations.

  1. /var/log/shiny-server.log contains the logs for the server itself, and is defined in /etc/init/shiny-server.conf

  2. /var/log/shiny-server/ is the folder that contains log files for your applications, and is defined in /etc/shiny-server/shiny-server.conf.

Once you made the changes above and also changed the run_as user, start shiny-server again with sudo start shiny-server, and you'll notice that shiny-server is in fact running as the non-root user, and the warning in the log file will be gone too.