Sandboxing apps with Unix user accounts (user switching)
on Passenger Standalone

When running web applications with Passenger, we recommend that you make use of the user account sandboxing feature, also known as user switching. This means (if you run multiple applications on a server) running each application under its own operating system user account, instead of running them all as the same user. Doing so improves the overall security of the system.

To better understand the problem, let us consider the situation with PHP. There is a problem that plagues most PHP web hosts, namely the fact that all PHP applications are run in the same user context as the web server. So for example, Joe's PHP application will be able to read Jane's PHP application's passwords. This is obviously undesirable on many servers.

Passenger's user account sandboxing feature solves this problem. This feature makes it very easy to run each application as its own operating system user. Assuming that you have correctly secured your files with the right filesystem permissions, user account sandboxing stops or limits the impact of certain classes of vulnerabilities. Going back to our example, if Joe's application has been hijacked through a vulnerability (or is intentionally malicious), then it won't be able to access Jane's passwords, assuming that Jane has secured her password files with the right permissions.

How it works

Passenger Standalone runs the application as the current user by default. That means if you start Passenger Standalone while logged in as root, then Passenger will run your application as root.

You can activate Passenger Standalone's user account sandboxing feature by passing --user to passenger start, or by setting the user option in Passengerfile.json. Passenger will then run the application as that user.

User account sandboxing is the reason why, in all official Passenger Library documentation, we recommend that you create a new user account for each application.