Node.JS switches the user during operation

Question

Node.JS switches the user during operation

Is it possible that the Node.JS program runs as root to lower its privileges while it is running? This would be one of the first things he does, and the goal, of course, is to limit the possible damage that he can cause, in the unlikely event that there is a vulnerability or incorrectly trusted code in this process.

Alternatively, is there a way for a Node.JS process that runs as root to start a separate process that is not root? (preferably without adding a layer between them, e.g. sudo)

+4

security node.js

George Bailey Nov 06 '12 at 21:42

source share

3 answers

mabako · Answer 1 · 2012-11-06T21:49:15+0000

Try process.setuid (and similarly process.setgid) .

Peter Lyons · Answer 2 · 2012-11-06T21:51:33+0000

Yes, use process.setuid (id) and process.setguid (id) to change the effective user / group ID of the current process.

rdrey · Answer 3 · 2012-11-06T21:56:57+0000

@mabako's answer looks great, but there should be operational tricks that are simpler.

What I saw, people do a lot with node for

Add the user who runs the node code to the www-data group so that it can bind to privileged ports.
ex: http://kvz.io/blog/2009/12/15/run-nodejs-as-a-service-on-ubuntu-karmic/
Use iptables to redirect privileged ports to an unprivileged node program that listens on a high port.
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000

Do you have any non-port reasons for starting a node server with root privileges?

EDIT: here are more tricks: Is there a way that non-root processes associate with “privileged” ports in Linux?

Node.JS switches the user during operation

More articles: