What user should run the gunicorn process?
When running a Django application on a Debian server, should you create some sort of application user (e.g. "myappuser") and run the gunicorn process as that user or can/should gunicorn be run as root? Would running it as root create a security risk? I've installed gunicorn using APT rather than install it in a virtual environment. Running it as an application user seems to make the configuration more difficult as you have to give that user permission to write to the log files, the PID file, etc. It seems easier to run it as root.
exec gunicorn $DJANGO_WSGI_MODULE:application \
--name myapp \
--user=$USER \ # <- who should this be?
--group=$GROUP \
As a general rule it is always a good idea to run workers and that kind of thing under a separate user which is specifically only given the permissions it requires in order to run. Running things as root is usually easier as you rarely have to worry about permissions issues, but it is always less secure as anything that can successfully exploit your application will have immediate root access to your system rather than having to find some way to escalate further. Even if there is no deliberate exploit, if the application goes catastrophically wrong somehow, it could for instance end up trashing important parts of your filesystem. Bite the bullet and deal with the slight complexity of faffing about with permissions now rather than accept the security risk of running as root. In some cases it might be appropriate to reuse some other user that already exists (for instance, www-data for the works for a webapp), if that makes things any easier.