run shiny server as non-root

Question

I installed shiny server in a virtual machine (ubuntu server 14.04.4 in VirtualBox)

shiny-server --version

Shiny Server v1.4.2.786
Node.js v0.10.40

All in all the server runs nicely and starts apps as intended.

The only thing I'm missing and failing to achieve is that shiny server is running as an unprivileged user. I even completely set up a new VM and shiny server to make sure no trial config changes still take effect.

I changed my config to not contain any folders one needs root permissions for:

$ cat /etc/shiny-server/shiny-server.conf
# Instruct Shiny Server to run applications as the user "shiny"
run_as shiny;

# Define a server that listens on port 3838
server {
  listen 3838;

  # Define a location at the base URL
  location / {

    # Host the directory of Shiny Apps stored in this directory
    # site_dir /srv/shiny-server;
    site_dir /home/shiny/shiny_sitedir/apps; 

    # Log all Shiny output to files in this directory
    # log_dir /var/log/shiny-server;
    log_dir /home/shiny/shiny_sitedir/logs;

    # When a user visits the base URL rather than a particular application,
    # an index of the applications available in this directory will be shown.
    directory_index on;
  }
}


# privileges of shiny user
uid=1000(shiny) gid=1000(shiny) groups=1000(shiny),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)

# owner of /etc/shiny-server
-rw-r--r--  1 root root shiny-server.conf

# trying to start shiny server as user shiny without sudo
$ start shiny-server 
start: Rejected send message, 1 matched rules; type="method_call", sender=":1.6" (uid=1000 pid=1134 comm="start shiny-server ") interface="com.ubuntu.Upstart0_6.Job" member="Start" error name="(unset)" requested_reply="0" destination="com.ubuntu.Upstart" (uid=0 pid=1 comm="/sbin/init ")

The server log tells me the same I see from the htop output that shiny server runs as root. (A side note: shiny server still uses /var/log/shiny-server.log instead of /home/shiny/shiny_sitedir/logs, which annoys me as well)

[...] [INFO] shiny-server - Shiny Server v1.4.2.786 (Node.js v0.10.40)
[...] [INFO] shiny-server - Using pidfile /var/run/shiny-server.pid
[...] [INFO] shiny-server - Using config file "/etc/shiny-server/shiny-server.conf"
[...] [WARN] shiny-server - Running as root unnecessarily is a security risk! You could be running more securely as non-root.
[...] [INFO] shiny-server - Starting listener on 0.0.0.0:3838

The shiny server documentation http://docs.rstudio.com/shiny-server/#running-shiny-server-with-root-privileges ships out a list of requirements to be fulfilled for non-root usage. Actually it defines states in which the shiny server needs to run as root:

1. If user_apps or user_dirs is enabled for any location. In order to host applications as various users, Shiny Server must have root privileges.
   • check. My shiny-server.conf neither uses user_apps nor user_dirs
2. If your configuration uses run_as to spawn applications as multiple different users.
   • check. run_as defines shiny as the only user
3. If you're running any server on a privileged port (a port in the range of 1-1024).
   • check. shiny server listens on port 3838

Although I think the installation fulfils the requirements shiny server still runs as root.

• How do I force shiny server to run as shiny user or even an user not part of the sudoers group?
• Does the shiny-server.conf need to locate anywhere else?
• How would I make shiny-server aware of this new location then?
• Do I need to change anything in /opt/shiny-server/config/ or any permissions on /etc/shiny-server/?

Edit after a comment by @warmoverflow I moved /etc/init/shiny-server.conf to ~/.init. Now, shiny server does not start automatically at boot up. But neither does start shiny-server succeed, because upstart is not aware of the ~/.init folder. From some forum posts it seems that dbus needs start, which it usually does by starting a graphical environment. As I'm running Ubuntu server this doesn't happen. Creating the two files mentioned in the upstart manual http://upstart.ubuntu.com/cookbook/#session-init doesn't help either, because the jobs fail to start.

Does anybody have a hint how to proceed or where I could find some information?

Answer 1

If your only goal is to ensure that shiny-server is running as non-root, and you are okay with start shiny-server using sudo (even if it's started with sudo, it can be running as a non-root user).

Edit /etc/init/shiny-server.conf, and

1. Add the following two lines at the beginning

   setuid shiny
   setgid shiny
   

2. Change the 3rd last line to

   exec shiny-server --pidfile=/home/shiny/shiny-server.pid >> /home/shiny/shiny-server.log 2>&1
   

Note that Shiny has two default log file locations.

1. /var/log/shiny-server.log contains the logs for the server itself, and is defined in /etc/init/shiny-server.conf

2. /var/log/shiny-server/ is the folder that contains log files for your applications, and is defined in /etc/shiny-server/shiny-server.conf.

Once you made the changes above and also changed the run_as user, start shiny-server again with sudo start shiny-server, and you'll notice that shiny-server is in fact running as the non-root user, and the warning in the log file will be gone too.

Answer 2

I'm running Shiny Server v1.4.4.801 (Node.js v0.10.46). On this version shiny initialization is done via systemd.

To run shiny as a non-root one have to edit /etc/systemd/system/shiny-server.service file. Add setuid shiny and setgid shiny commands to ExecStart like this:

ExecStart=/bin/bash -c 'setuid shiny; setgid shiny; /opt/shiny-server/bin/shiny-server --pidfile=/var/run/shiny-server.pid >> /var/log/shiny-server.log 2>&1'

Now, one can start shiny server by typing systemctl start shiny-server.service.

Type systemctl enable shiny-server.service to autostart shiny-server on reboot.