How can I get rails server to drop root permissions after binding port 80?

About

Asked 17/5, 2012 at 16:47 Answered 17/5, 2012 at 16:47

So I'd like to switch to port 80 in my development environment, but rails server makes this tough.

rvmsudo bundle exec rails server thin -p 80 works fine, but litters my environment with sass cache and other temporary files, all root-permissioned, which means I pretty much have to do everything as root, which is a Very Bad Thing.

thin start -p 80 -u me -g staff -e development doesn't work; thin seems to drop permissions before binding the port (?!). Even if it did work, this wouldn't do; rails server provides much richer logging for development.

To be clear, I'm well aware that binding port 80 requires root. The ideal solution would drop permissions down to a user/group that I specify after binding port 80, as every server in the last 20 years has been able to do. Is this really not possible to do with rails server? I can't find any documentation on it.

Coerce answered 17/5, 2012 at 16:47 Comment(4)

You probably won't be able to do this; the naive Rails server process expects to be run exactly as the user you're running it as, which will lead to weird permission problems (as you've found) when run as root. Instead of doing that, though, have you considered an alternative? pow binds to named routes that respond on port 80, allowing you to go to mapp.dev and be directed immediately to your application. – Eldred 17/5, 2012 at 17:4

I have not been able to figure out how pow works; there's so much magic that the documentation doesn't tell me what's going on. But reading it again just now at your suggestion, it seems to do its magic with ipfw, which I've manually used to solve my problem for now. So this is worth a check mark if you post an answer, in my book, if nobody posts a more rails server centric answer within a day or two. – Coerce 17/5, 2012 at 17:16

Did you consider using a webserver (for example apache or nginx) as transparent proxy instead? You are then able to run your app as an unprivileged user but access it through port 80. – Alwyn 17/5, 2012 at 21:17

I did consider that, but I hate adding moving parts to my dev setup, especially as I do, in a few places, use things like client IP addresses that introduce potential bugs when adding a proxy, as one needs to start paying attention to x-whatever headers. It seems such a ridiculous kludge to have to add a proxy specifically for the port 80 of it all: after all, it's not like I need to run nginx or apache as root! ipfw seems to be doing the trick and introduces fewer potential complexities. – Coerce 18/5, 2012 at 6:36

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags