0

So I am running a project I have been working on for a while. I am running it using sudo node , I am first wondering if this is a good idea at all? The reason I have been doing this is because occasionally it will not let me listen on port 80 unless I launch my program using sudo.

Anyway when I use fs.appendFileSync or any file creation, it will restrict the files access to sudo (I can only delete the file in the OS using sudo rm ... , I want to be able to delete and modify these files from any other system user.

So should I be using sudo to launch node? and how can I create files in sudo, then allow other users to delete them (eg myself using the ui)?

Josh Mc
  • 9,911
  • 8
  • 53
  • 66
  • 1
    What flavor of linux are you using -- brand or home-brewed? Also, http://serverfault.com/questions/112795/how-can-i-run-a-server-on-linux-on-port-80-as-a-normal-user or http://unix.stackexchange.com/questions/10735/linux-allowing-an-user-to-listen-to-a-port-below-1024 may help. – Jonathan Lonowski Mar 15 '13 at 22:37
  • 1
    you can also use iptables and forward port 80 to 8000 or any other port > 1024 - ok well i just saw jonathan's link thats basicaly it ;) – supernova Mar 16 '13 at 00:36
  • I am using ubuntu, I will investigate these links, cheers. – Josh Mc Mar 16 '13 at 05:19

1 Answers1

3

There are several better approaches than sudo.

  1. Use a reverse proxy listening on port 80 forwarding traffic to your node process which runs as non-root and listens on a port > 1024. This is how the overwhelming majority or real world deployments run, and for good reason. See Why should one use a http server in front of a framework web server? and my answer here for supporting arguments.
  2. Start your node process as root, bind port 80 as root, then use process.setuid to drop privileges to a non-root user. Here's an article on this technique.

Note that the purpose of sudo is primarily for users logged in and running interactive shells to run specific commands. It really has no role in operating network services.

In terms of permissions, your node process should run as a non-root user and have appropriate filesystem write permissions in a specific directory as needed to write files as part of its application operation.

occasionally it will not let me listen on port 80 unless I launch my program using sudo

Not "occasionally", always. Unix processes must be root to bind to network ports < 1024.

Community
  • 1
  • 1
Peter Lyons
  • 142,938
  • 30
  • 279
  • 274
  • hmmm so would subscribing on port 8080 as a non-root user, then at the higher router/firewall level direct traffic on port 80 to my process be a better way to do this, then operating directly on port 80 and requiring root access? Are there any disadvantages to this? – Josh Mc Mar 16 '13 at 05:25
  • what you want is a reverse proxy such as nginx/apache/varnish/ha-proxy/etc (not a router, not a firewall) acting as your web server and reverse proxy. There are many advantages to this I list completely in the answer I linked to above. – Peter Lyons Mar 16 '13 at 06:04
  • so what is the downside to using just a router/firewall to port forward that way? Thanks for all the useful information. – Josh Mc Mar 16 '13 at 09:37
  • The downside is the lack of upsides as described in the answer I linked to above: when your app server is down, you can't serve an error page, you can't easily do virtual hosting, your SSL will be slower, you can't do load balancing, etc. – Peter Lyons Mar 16 '13 at 12:50
  • ahhh right, all very real problems, Ok thanks for the very informative answer, much appreciated. – Josh Mc Mar 17 '13 at 06:37