Frequently Asked Question

Why does it matter that daemons run as non-root users?

A daemon's user account is the privilege boundary around its worst day. If nginx runs as www-data and an unauthenticated remote-code-execution bug fires, the attacker now runs commands as www-data, they can read and write the web root, but they cannot edit /etc/shadow, install kernel modules, or read another user's mail. If the same daemon runs as root, the same bug hands the attacker the entire machine and, often, lateral movement to the rest of the network.

The shape of the fix has been the same since the early Unix days: each long-running service gets its own dedicated user (www-data, mysql, postgres, prometheus, _apt), with a shell of /usr/sbin/nologin, owning only the directories it genuinely needs. Modern systemd extends this with DynamicUser=yes, which allocates a transient UID at unit start and frees it at stop, so even a successful escape from the service cannot persist as that user. User=, Group=, CapabilityBoundingSet=, PrivateTmp=yes, ProtectSystem=strict, and ProtectHome=read-only are the standard knobs.

For a defender the rule is: if a ps aux on your server shows daemons running as root that do not strictly need to, you have a backlog. Most distribution packages get this right by default; the violations are usually third-party software installed by hand or one-off scripts living in cron.