Why do some apps require root access, and others don't?

TrueNAS General
1

I’m a bit of a newbie. Was struggling to get Navidrome (v0.58.0/v1.2.8) up and running on my server (25.04.2.4).

In the end, the fix was that the app data storage folder (not the music storage folder) had to have its Owner and Group changed to “apps” from “root”. In doing this I realised that all my other apps’ Owners and Groups are “root”, and that the UIDs/GIDs of some of these apps are 0 instead of 568.

Immich has a UID/GID of 568 too, like Navidrome. But nginx, Tailscale, and Syncthing have UIDs/GIDs of 0.

So I guess I’m asking three things:

  • why did Navidrome require “apps” instead of “root” for its app data storage folder?
  • why do the UIDs/GIDs differ between apps?
  • do any of these differences reveal something about the security of my setup?
2

This is like the exact same reason why a lot of legacy Windows apps need admin permission to run and Microsoft, a lot of the time, gets blamed unfairly for being insecure.

Lazy developers tend to do this because it’s just much easier to code when you don’t have to worry about permissions.

Nginx probably requires it because it needs to bind to port 80 and 443 (both are privileged ports) and it requires more effort to make it elevate/de-elevate properly during initialization.

Tailscale needs it probably because it needs to create new network devices and add/remove routes and firewall rules.

Not sure why syncthing would need it though. Last I checked, they don’t bind to any privileged ports. I suppose they likely also need to update firewall rules.

As for your questions:

  • I don’t use SCALE apps, so I’m not familar with the directory structure so unfortunately I can’t answer this question.
  • Every app typically needs to have its own unique UID/GID for security and consistency. I think, by convention, they use the same number as whatever port they’re listening to, but it’s not required. Also, they can use the same UID/GID, but for security and sandboxing purposes, it’s generally not recommended.
  • Running as UID/GID of 0 (ie. root) is generally not recommended from a security standpoint, but not always necessarily a bad thing.
3 Likes