RunAs

RunAs is a position-independent config.txt/ezproxy.cfg directive that is available in EZproxy for Linux and Solaris.

It is common for EZproxy to be set to startup automatically when the system is booted. Normally, this results in EZproxy running under the privileged root account. If you configure EZproxy to listen on any ports below 1024, EZproxy must be started as root to be able to open these ports. To increase security, it is desirable to have EZproxy run with a non-root account.

The RunAs directive allows you to tell EZproxy to change from the root user to a non-privileged user, and optionally a different group. EZproxy switches to the account specified at its earliest opportunity, after it has opened all low ports on which it needs to listen, but before it actually starts any proxying work.

Sample usage is:

RunAs someuser
RunAs someuser:somegroup


If you want to use RunAs, you should follow these steps:

1. Stop EZproxy.
2. Edit config.txt/ezproxy.cfg to add the appropriate RunAs directive.
3. Issue a command to change the directory where EZproxy is installed and all the files within it so they are owned by the non-privileged user, such as:

   chown -R someuser /usr/local/ezproxy


   Note that the chown command is applied recursively to the directory where EZproxy is installed and all the files within, not just to the EZproxy binary program itself.

4. Restart EZproxy.
5. Check messages.txt/ezproxy.msg to insure there are no error messages recorded about not being able to access required files.

Once you have EZproxy configured to use RunAs, you may notice one EZproxy process still runs as root. The main EZproxy process is called Guardian. Guardian is responsible for starting up a separate process that does the actual proxying. If the worker process should stop for any reason, Guardian restarts the worker process. Guardian remains root through all of this since the restarted worker process may need to be root to open low ports.