Run Webserver Without Root

programming

Published

November 12, 2020

You’ve written your web application or API and you now want to deploy it to a server. You don’t want to run it as root, because if someone finds a vulnerability in the server then it will be trivial for them to take over the system. However only root has permission to run applications on ports 80 and 443.

There are a few ways to do this, but only a couple that make sense for an interpreted language (like Python, as opposed to a compiled binary). An easy way is using authbind to grant access to the ports.

Autbind

You’ve got a service ready to serve on port 80 and/or port 443. How do we run the application?

# 1. Install authmind
apt-get install authbind
# 2. Create permission files to set read/write permission
sudo touch /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
# 3. Change the owner to the user who runs the service
# Here I'm assuming they're called `server`
sudo chown server /etc/authbind/byport/80
sudo chown server /etc/authbind/byport/443

# Run the application
authbind --deep /path/to/app

That’s all there is to it.