I updated to Passenger 5.1.11 today and had cause to look at my Apache error logs.
In /var/log/apache2/error.log I found this entry (many times over):
WARNING: potential privilege escalation vulnerability. Passenger is running as root, and part(s) of the passenger root path (/home/jack/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/passenger-5.1.11) can be changed by non-root user(s): The path "/home/jack/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/passenger-5.1.11" can be modified by user "jack" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
I'm running Debian 7 and installed Passenger as a gem. I didn't run any install commands using sudo.
How can I avoid Passenger running as root? I've spent the last couple of hours Googling this, but have come up empty handed.
Apache starts as root, thus when the Passenger module is loaded it starts as root. In a situation where you are integrating with Nginx or Apache, you are going to find it's much easier to restrict the permissions on the gem dir than it is to run the webserver as a non-root user.