Run Hypnotoad as nginx user

[Poorchop]

I want to replace my CGI scripts with Mojolicious using nginx with a reverse proxy to Hypnotoad. I previously had a factcgi process running as the nginx user and I want nginx to also own the Hypnotoad process. This seems much more secure than running the process myself since I have superuser privileges but barring this, I don't want to compromise the security of folders that I own. The Mojo script in question will be accepting user input and writing data to the disk.

I can't figure out how to do this however. Right now, I have local::lib set up with Mojolicious installed in ~/perl5. I tried installing the perl-Mojolicious package provided by my distro (CentOS 7) since a system-wide install is executable by the nginx user but it's too old and it doesn't seem to work. I'm not sure how to install packages system-wide with cpanm and this also doesn't seem like the right approach.

Assuming my site is served from /var/www/example.com/, do I have to somehow install Mojolicious to some place like /var/www/example.com/app/lib/, change the owner to nginx, and then do something like sudo -u nginx /var/www/example.com/app/lib/hypnotoad /path/to/script.pl?

[Grinnz]

There is no restriction what user can run a mojo app based on its location or owner. The user must have permissions to read the script, and must have the environment set up to load your Perl modules. Since you are using a local::lib which is specific to your user, you must configure that local::lib location in the other user's env in your init script for the hypnotoad daemon (which can also handle choosing the user to run it as).

PERL5LIB=/path/to/your/perl5/lib/perl

[Poorchop]

Thanks. I'm not actually sure how to modify environment variables for the nginx user since I think that it was created as a system account without a home directory, shell, or the ability to log in. I'm thinking it might make more sense to just create a "hypnotoad" user with its own local::lib setup. That might actually be safer than allowing nginx to own the hypnotoad process.

[Grinnz]

I suggest making one specific to the project you're trying to run if you're going to go through the effort, in case you someday want to run other projects using hypnotoad on the same machine with different perms.

You don't need to modify the env for the nginx user, you can just set it in the init script for the hypnotoad process, whatever that might be.

[squizzster]

I use:

use POSIX;
POSIX::setuid(1000);

which seems to work for me.

[Poorchop]

That's interesting, I didn't even realize that was an option in Perl. In the end, I realized that it made a lot more sense to create a new user with its own local::lib but knowing that I can change the process owner like this might come in handy in the future.

[Grinnz]

Please only do this via https://metacpan.org/pod/Mojolicious::Plugin::SetUserGroup, or you will leave root's group permissions active in the process.

[squizzster]

I will use:
use Mojolicious::Plugin::SetUserGroup

in the future.