Security best practice when running process as non-root user

Justin Meltzer asked:

So I’m trying to run Supervisor ( as a non-root user. However the process outputs logs to the /var/log directory which is owned by root and has 755 permissions. Therefore starting the process as a non-root user throws a permission denied error. What is a best practice for solving this issue? One idea I have is to recursively change the group of the /var directory to that of the user which is starting the supervisor process, and giving the /var directory 775 permissions. Is this acceptable from a security standpoint?

My answer:

Use the user= directive in supervisord.conf, so that supervisord starts as root, does any necessary opening of files, and then drops privileges.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.