I agree with what you wrote, and add that you should make sure that your service's executables and scripts also should not be owned by the user they run as.
It's unfortunately very common to install, for example, a project as the "ubuntu" user and also run it as the "ubuntu" user. But this arrangement effectively turns any kind of file-overwrite vulnerability into a remote-execution vulnerability.
Owning executables as root:root, perms 0755, and running as a separate unprivileged user, is a standard approach.
> All of recommendations about efficiency seem misguided to me.
I've seldom had to worry about the performance of my scripts. It almost always is dominated by the performance of whatever the script is running. I did have one very notable exception, though. It's kind of embarrassing.
On one project---for "reasons"---I had written several bash scripts to collect system performance metrics to push into Nagios or Graphite. A couple of these had to calculate some floating point, and I was invoking `dc` to do that, as bash only supports integer arithmetic. The script would loop once every 5 seconds or so, iirc, invoking dc each time. One small process every 5 seconds doesn't sound like a lot, but the systems also ran ClamAV---again, for "reasons"---and were already under high load, and that extra process invocation had a noticeable and significant impact on the system.
My workaround was to run a single instance of dc using bash's `coproc` keyword, then redirect all the calculations through the returned descriptors. This had a drastic improvement.
Except... it turns out that dc leaked 80 bytes of memory whenever it read and parsed a float. So, the long-running dc process would eventually get oom-killed. So, I added a check to restart the dc process every 5000 iterations, or something like that.
Which all sounds like a big headache, but for "reasons" this was far easier than getting some other solution into that environment.
I did submit a bug report (2020 Feb 19), and Ken Pizzini (dc's original author, I think) was kind enough to reply even though he wasn't the maintainer. Unfortunately, my patch never got upstreamed.
Then again, who else is crazy enough to use dc as long-running math server?
Thank you! I didn't have many options at the time, having a small family to provide for, so I went back to work as a software developer. The career has been good. I regret not being able to be a professor and devote more time to research, but I also try to make opportunities for those kinds activities in other ways.
I had picked my advisor at the start of my PhD. I also had 2 backups. My pick was on sabbatical my first year. He and I agreed I'd load up on the required classes that year.
He e-mailed me right before the year ended saying he had changed his mind and didn't want any more grad students, basically dumping me.
Right around the same time, my first backup decided to retire.
My second backup passed away.
I was left no longer making "sufficient progress" and no path to do so, losing my financial aid.
It's unfortunately very common to install, for example, a project as the "ubuntu" user and also run it as the "ubuntu" user. But this arrangement effectively turns any kind of file-overwrite vulnerability into a remote-execution vulnerability.
Owning executables as root:root, perms 0755, and running as a separate unprivileged user, is a standard approach.