5

Is it possible for a Node.JS program that is running as root, to downgrade its authority while it is running? This would be one of the first things it does, and the purpose is of course to limit possible damage it could cause, in the unlikely event that there is a vulnerability, or mis-trusted code that runs in this process.

Alternatively, is there a way for Node.JS process that is running as root, to start a separate process which is non-root? (preferably without adding a layer in between, such as sudo)

700 Software
  • 85,281
  • 83
  • 234
  • 341

3 Answers3

5

Try process.setuid (and likewise, process.setgid).

mabako
  • 1,213
  • 11
  • 19
3

Yes, use process.setuid(id) and process.setguid(id) to change the effective user/group id of the current process.

Peter Lyons
  • 142,938
  • 30
  • 279
  • 274
0

@mabako's answer looks great, but there should be operating system tricks that are easier.

What I've seen people do a lot with node is to either

  1. Add the user that runs the node code to the www-data group to allow it to bind to privileged ports.

    ex: http://kvz.io/blog/2009/12/15/run-nodejs-as-a-service-on-ubuntu-karmic/

  2. Use iptables to redirect privileged ports to an unprivileged node program, which listens on a high port.

    iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000

Do you have any non-port-binding reasons to run a node server as root?

EDIT: More tricks here: Is there a way for non-root processes to bind to "privileged" ports on Linux?

Community
  • 1
  • 1
rdrey
  • 9,379
  • 4
  • 40
  • 52