运行Golang作为www数据 [英] Run Golang as www-data
问题描述
当我运行Node HTTP服务器应用程序时,我通常会调用一个自定义函数
$ p $函数runAsWWW()
{
尝试
{
process.setgid('www-data');
process.setuid('www-data');
} catch(err)
{
console.error('怯懦地拒绝以root身份保留进程');
process.exit(1);
from server.listen( 8080,'localhost',null,runAsWWW);
所以服务器实际上是以 www-data
用户提供更好的安全性。当我通过发布 go run index.go
?
在@ JimB 的答案中展开:
使用流程主管将您的应用程序运行为一个特定的用户(并处理重新启动/崩溃,日志重定向等)。 setuid
和 setgid
对于多线程应用程序来说是个坏主意。
可以使用您的操作系统的进程管理器(Upstart,systemd,sysvinit)或独立的进程管理器(Supervisor,runit,monit等)。
$ b 这里有一个主管例子:
[程序:yourapp]
命令= / home / yourappuser / bin / yourapp#位置的应用程序
autostart = true
autorestart = true
startretries = 10
user = yourappuser#您的应用程序应运行的用户(即* not * root!)
目录= / srv / www / yourapp.com /#您的应用程序从
环境= APP_SETTINGS =/ srv / www / yourapp.com / prod.toml#环境变量
redirect_stderr = true
stdout_logfile = / var / log / supervisor / yourapp.log#日志文件的名称。
stdout_logfile_maxbytes = 50MB
stdout_logfile_backups = 10
此外:如果您不是反向代理,你的Go应用需要绑定到一个端口< 1024(例如端口80或443),然后使用 setcap - 例如: PS:我写了 github.io/article/running-go-applications-in-the-background/rel =nofollow>一篇关于如何与主管一起运行Go应用程序的小文章(从我没有主管安装)。
When I run a Node HTTP server app I usually call a custom function
function runAsWWW()
{
try
{
process.setgid('www-data');
process.setuid('www-data');
} catch (err)
{
console.error('Cowardly refusal to keep the process alive as root.');
process.exit(1);
}
}
from server.listen(8080,'localhost',null,runAsWWW);
so the server is actually running as the www-data
user to offer a better modicum of security. Is there something similar I can do when I start up a Golang web server by issuing go run index.go
?
Expanding on @JimB's answer:
Use a process supervisor to run your application as a specific user (and handle restarts/crashes, log re-direction, etc). setuid
and setgid
are universally bad ideas for multi-threaded applications.
Either use your OS' process manager (Upstart, systemd, sysvinit) or a standalone process manager (Supervisor, runit, monit, etc).
Here's an example for Supervisor:
[program:yourapp]
command=/home/yourappuser/bin/yourapp # the location of your app
autostart=true
autorestart=true
startretries=10
user=yourappuser # the user your app should run as (i.e. *not* root!)
directory=/srv/www/yourapp.com/ # where your application runs from
environment=APP_SETTINGS="/srv/www/yourapp.com/prod.toml" # environmental variables
redirect_stderr=true
stdout_logfile=/var/log/supervisor/yourapp.log # the name of the log file.
stdout_logfile_maxbytes=50MB
stdout_logfile_backups=10
Further: if you're not reverse proxying and your Go application needs to bind to a port < 1024 (e.g. port 80 or 443) then use setcap - for example: setcap cap_net_bind_service=+ep /home/yourappuser/bin/yourapp
PS: I wrote a little article on how to run Go applications with Supervisor (starting from "I don't have Supervisor installed").
这篇关于运行Golang作为www数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!