Getting Data In

What are the pros and cons of running thousands of UFs as root

Motivator

We have thousands of UFs running as Unix root and we have discussions whether to keep it like that or run the UFs as a distinct user.

Therefore my question is - what are the pros and cons of running thousands of UFs as root?

Tags (2)
0 Karma

Motivator

in most cases there are no need to run UF as root user, most common excuses:

  • permissions to access root-only files - can be relaxed using chmod, chown, unix groups, chattr, setcap etc.
  • permissions to open ports below 1024 - can be fixed with iptables, or dropping permissions after start
  • selinux/apparmor - can be adjusted

most severe disadvantage - security risk because of:

  • increased attack surface
  • any/most security restrictions (file permissions, even SElinux etc) can be disabled or bypassed
  • etc.