2

Being new to Node.js, I have this question..

I see it mentioned in a few places that node should not be run as root, such as this. I am just using node to set up a simple web service and executing a python script which requires root access. I just don't understand where the danger lies, as in what could the hacker do.

My node.js file is something like this:-

var http = require('http');
var express = require('express');

var app = express();


app.use(express['static'](__dirname));


app.get('/alert', function(req, res) {
    var addr = req.query.addr;
    //~ need to check if it is a valid address??
    console.log('Received addr -' + addr);

    var spawn = require('child_process').spawn;

    var process = spawn('python', ['custom-text-led/custom-text.py', addr]);

    process.stdout.on('data', function(data) {
        console.log('Data:' + data);
    });


})

app.get('*', function(req, res) {
    res.status(404).send('Unrecognized API call');
});

app.use(function(err, req, res, next) {
    if (req.xhr) {
        res.status(500).send('Opps, something went wrong');
    } else {
        next(err);
    }
});

app.listen(3000);

console.log('App server running at port 3000');
daisura99
  • 1,030
  • 1
  • 12
  • 22
  • 2
    If you don't know what a hacker could do, that does not mean a hacker couldn't do anything. It only means that you are not a hacker. That is the whole point of being a hacker: seeing what could be done when everyone thinks nothing could be done. – zvone Sep 30 '16 at 06:58

4 Answers4

2

The hacker could do anything if there is any security issues. You could give the user witch runs the web server the permission to do the task your task is intending to do.

In general try to avoid root whenever you can (put the tinfoil hat on).

Maximus Power
  • 48
  • 3
  • would appreciate if you can provide a specific example as to how the attacker can execute commands on my server. Is it through the web service like `http://xx.xx.xx.xx/addr?q=xxx`. Or maybe some other way, which I would like to know – daisura99 Sep 30 '16 at 07:56
  • @daisura99 Actually i cant give you an example, i'm not into hacking :). But if he finds a way to execute commands he could do whatever he likes to do. – Maximus Power Oct 07 '16 at 11:21
2

According to this post from superuser of StackExchange platform, you can pipe the password to other sudo commands, like this:

echo <password> | sudo -S <command>

and according to this StackOverflow post, you can pipe commands in spawn like this:

child.spawn('sh', args)
var args = ['-c', <the entire command you want to run as a string>];

After some hours struggling I found the solution. To wrap it all up, your answer would be something like:

import { spawn } from "child_process";
const process = spawn("sh", ["-c", "sudo -K << <password> <the entire command you want to run with sudo>"]);

I hope it would help you and others like me.

MajidJafari
  • 1,076
  • 11
  • 15
1

Building on MajidJafari's work (which unfortunately did not work for me as he typed it) I was able to come up with something that works, albeit very convoluted.

const process = spawn("sh", ["-c", "echo <password used for sudo user> | sudo -S bash -c '<enter command or multiple commands separated by && here>'"]);

All the commands encased within the set single parenthesis ' ' will be run as sudo.

ChaseMcDizzle
  • 11
  • 1
0

On node v16.18.0 this option works

const { spawn } = require("child_process");

const options = {
    shell: true
};

const user = 'root';
const password = '12345';
const c = 'ls /root';

spawn("sudo", [`-S <<< '${password}'`, '-u', user, 'bash', '-c', `'${c}'`], options);
Arthur Zarembo
  • 1
  • 2