What is the reason that celery should not run as root?
I see recommendations in the shell that I shouldn't run celery as root, that it is "absolutely not recommended!".
Can someone explain this?
python django celery django-celery
asked Nov 25 '18 at 18:30
tonino.jtonino.j
2,7702325
add a comment |
I see recommendations in the shell that I shouldn't run celery as root, that it is "absolutely not recommended!".
Can someone explain this?
python django celery django-celery
asked Nov 25 '18 at 18:30
tonino.jtonino.j
2,7702325
3
It is typically recommended to run nothing as root, except if you really have to. By running things as root, you thus give access to a lot of system settings/files/... If somehow the program goes wrong, or a hacker managed to inject some code into it, the damage with root access can be more severe.
– Willem Van Onsem
Nov 25 '18 at 18:32
add a comment |
I see recommendations in the shell that I shouldn't run celery as root, that it is "absolutely not recommended!".
Can someone explain this?
python django celery django-celery
asked Nov 25 '18 at 18:30
tonino.jtonino.j
2,7702325
I see recommendations in the shell that I shouldn't run celery as root, that it is "absolutely not recommended!".
Can someone explain this?
python django celery django-celery
python django celery django-celery
asked Nov 25 '18 at 18:30
tonino.jtonino.j
2,7702325
asked Nov 25 '18 at 18:30
tonino.jtonino.j
2,7702325
asked Nov 25 '18 at 18:30
tonino.jtonino.j
2,7702325
asked Nov 25 '18 at 18:30
tonino.jtonino.j
2,7702325
asked Nov 25 '18 at 18:30
tonino.jtonino.j
2,7702325
2,7702325
3
It is typically recommended to run nothing as root, except if you really have to. By running things as root, you thus give access to a lot of system settings/files/... If somehow the program goes wrong, or a hacker managed to inject some code into it, the damage with root access can be more severe.
– Willem Van Onsem
Nov 25 '18 at 18:32
add a comment |
3
It is typically recommended to run nothing as root, except if you really have to. By running things as root, you thus give access to a lot of system settings/files/... If somehow the program goes wrong, or a hacker managed to inject some code into it, the damage with root access can be more severe.
– Willem Van Onsem
Nov 25 '18 at 18:32
3
3
It is typically recommended to run nothing as root, except if you really have to. By running things as root, you thus give access to a lot of system settings/files/... If somehow the program goes wrong, or a hacker managed to inject some code into it, the damage with root access can be more severe.
– Willem Van Onsem
Nov 25 '18 at 18:32
It is typically recommended to run nothing as root, except if you really have to. By running things as root, you thus give access to a lot of system settings/files/... If somehow the program goes wrong, or a hacker managed to inject some code into it, the damage with root access can be more severe.
– Willem Van Onsem
Nov 25 '18 at 18:32
add a comment |
1 Answer
1
active
oldest
votes
This is a specific case of the Principle of least privilege (PoLP) [wiki]:
(...) the principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
If you give your celery root access that means it has access to a lot of powerful tools: it can remove system configuration, wipe the entire file system, install new software, even manipulate hardware, etc.
Running celery as root might result in several insecure scenarios. For example, if a hacker thus manages to "inject" code somewhere, it can wait until celery runs that code, and for example creates a user with a predefined password, and then it can access the machine. Sure managing to store code somewhere such that celery runs that is another challenge, but typically it is better always to assume that all systems are to some extent insecure, and thus giving these root access, will definitely not benefit security. This is also stated in the Wikipedia article:
(...) For example, Microsoft states "Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses".
Sure if a hacker manages to inject code, this can still cause a lot of damage, so running the celery process as non-root user, is not sufficient. Typically it is also useful to run a process with a user that has only access to files, and other resources it really needs. For example only the python files that are used for the processes it has to carry out.
answered Nov 25 '18 at 18:54
Willem Van OnsemWillem Van Onsem
150k16145235
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53470602%2fwhat-is-the-reason-that-celery-should-not-run-as-root%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is a specific case of the Principle of least privilege (PoLP) [wiki]:
(...) the principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
If you give your celery root access that means it has access to a lot of powerful tools: it can remove system configuration, wipe the entire file system, install new software, even manipulate hardware, etc.
Running celery as root might result in several insecure scenarios. For example, if a hacker thus manages to "inject" code somewhere, it can wait until celery runs that code, and for example creates a user with a predefined password, and then it can access the machine. Sure managing to store code somewhere such that celery runs that is another challenge, but typically it is better always to assume that all systems are to some extent insecure, and thus giving these root access, will definitely not benefit security. This is also stated in the Wikipedia article:
(...) For example, Microsoft states "Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses".
Sure if a hacker manages to inject code, this can still cause a lot of damage, so running the celery process as non-root user, is not sufficient. Typically it is also useful to run a process with a user that has only access to files, and other resources it really needs. For example only the python files that are used for the processes it has to carry out.
answered Nov 25 '18 at 18:54
Willem Van OnsemWillem Van Onsem
150k16145235
add a comment |
This is a specific case of the Principle of least privilege (PoLP) [wiki]:
(...) the principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
If you give your celery root access that means it has access to a lot of powerful tools: it can remove system configuration, wipe the entire file system, install new software, even manipulate hardware, etc.
Running celery as root might result in several insecure scenarios. For example, if a hacker thus manages to "inject" code somewhere, it can wait until celery runs that code, and for example creates a user with a predefined password, and then it can access the machine. Sure managing to store code somewhere such that celery runs that is another challenge, but typically it is better always to assume that all systems are to some extent insecure, and thus giving these root access, will definitely not benefit security. This is also stated in the Wikipedia article:
(...) For example, Microsoft states "Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses".
Sure if a hacker manages to inject code, this can still cause a lot of damage, so running the celery process as non-root user, is not sufficient. Typically it is also useful to run a process with a user that has only access to files, and other resources it really needs. For example only the python files that are used for the processes it has to carry out.
answered Nov 25 '18 at 18:54
Willem Van OnsemWillem Van Onsem
150k16145235
add a comment |
This is a specific case of the Principle of least privilege (PoLP) [wiki]:
(...) the principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
If you give your celery root access that means it has access to a lot of powerful tools: it can remove system configuration, wipe the entire file system, install new software, even manipulate hardware, etc.
Running celery as root might result in several insecure scenarios. For example, if a hacker thus manages to "inject" code somewhere, it can wait until celery runs that code, and for example creates a user with a predefined password, and then it can access the machine. Sure managing to store code somewhere such that celery runs that is another challenge, but typically it is better always to assume that all systems are to some extent insecure, and thus giving these root access, will definitely not benefit security. This is also stated in the Wikipedia article:
(...) For example, Microsoft states "Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses".
Sure if a hacker manages to inject code, this can still cause a lot of damage, so running the celery process as non-root user, is not sufficient. Typically it is also useful to run a process with a user that has only access to files, and other resources it really needs. For example only the python files that are used for the processes it has to carry out.
answered Nov 25 '18 at 18:54
Willem Van OnsemWillem Van Onsem
150k16145235
This is a specific case of the Principle of least privilege (PoLP) [wiki]:
(...) the principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
If you give your celery root access that means it has access to a lot of powerful tools: it can remove system configuration, wipe the entire file system, install new software, even manipulate hardware, etc.
Running celery as root might result in several insecure scenarios. For example, if a hacker thus manages to "inject" code somewhere, it can wait until celery runs that code, and for example creates a user with a predefined password, and then it can access the machine. Sure managing to store code somewhere such that celery runs that is another challenge, but typically it is better always to assume that all systems are to some extent insecure, and thus giving these root access, will definitely not benefit security. This is also stated in the Wikipedia article:
(...) For example, Microsoft states "Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses".
Sure if a hacker manages to inject code, this can still cause a lot of damage, so running the celery process as non-root user, is not sufficient. Typically it is also useful to run a process with a user that has only access to files, and other resources it really needs. For example only the python files that are used for the processes it has to carry out.
answered Nov 25 '18 at 18:54
Willem Van OnsemWillem Van Onsem
150k16145235
answered Nov 25 '18 at 18:54
Willem Van OnsemWillem Van Onsem
150k16145235
answered Nov 25 '18 at 18:54
Willem Van OnsemWillem Van Onsem
150k16145235
answered Nov 25 '18 at 18:54
Willem Van OnsemWillem Van Onsem
150k16145235
150k16145235
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53470602%2fwhat-is-the-reason-that-celery-should-not-run-as-root%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
It is typically recommended to run nothing as root, except if you really have to. By running things as root, you thus give access to a lot of system settings/files/... If somehow the program goes wrong, or a hacker managed to inject some code into it, the damage with root access can be more severe.
– Willem Van Onsem
Nov 25 '18 at 18:32