-3

For a while I have been referring to this popular answer when setting up my Node.js web servers.

However, there's this one seemingly important comment that I wish to raise a question about:

If I add my Node.js start script to /etc/rc.local, won't it be executed as root on system boot? That would defeat the purpose of the port 80 redirect.

If I run the forever package as root, does forever in turn run its processes also as root? I can't find any information regarding this point in the npm documentation. If forever does run processes as root when forever is also root, then it truly does defeat the purpose and that answer should be updated accordingly.

ThisClark
  • 14,352
  • 10
  • 69
  • 100

2 Answers2

5

The real question here is how can I start a nodejs script at startup as a regular user ?, because you realy do not want to start your server as root, mainly for security reasons.

And I don't think you'll find any interesting advices on npm documentation as this has not very much to do with npm.

The response to the comment you quote, by the author of the mentioned answer is pretty clear:

If you start your node.js script from /etc/rc.local it will run as root. However, security best practices are to never run a server as root

Do not start pm2 as root.
If some other process are launch by pm2, except special treatment, there will be launch as root as well.

When I read

Add your Node.js start script to the file you edited for port redirection, /etc/rc.local.

I understand make a script that launch your nodejs script at start up, and make this script launch it as a standard/dedicated user.
Maybe this answer could give you ideas for how to do it: https://askubuntu.com/a/20238

To conclude, the answer still usefull and do not have to be updated as this solution is in fact great to reach a port by a regular user (as the first 1024 ports are restricted to the root user only on linux)

TGrif
  • 5,725
  • 9
  • 31
  • 52
  • If I wish to satisfy this condition: *If you start your node.js script from /etc/rc.local it will run as root. However, security best practices are to never run a server as root*, then it sounds like I need to find a way to start my Node.js startup script as a non root user but have the root user kick off the command from the file `/etc/rc.local`. That makes sense. – ThisClark Jun 26 '17 at 01:49
  • The problem with your question is that start posing a security risk by performing a task that shouldn't be executed as root "ever". – Gi1ber7 Jun 28 '17 at 20:36
  • 1
    @Gi1ber7 If root can safely run a process as a different user without elevated privilege, then that process will not have root authority and the problem is avoided. – ThisClark Jun 28 '17 at 21:53
1

He's not suggesting you run the forever package as root. Only that you setup the redirect as a root. Once 80 is redirecting to 3000 (or whichever port), you can run node (or forever) as any user with your app listening to port 3000.

You can run a command as another user by doing something like this:

su <user name> -c '<your command>'

Here is a simple way to put this in a script with a password : https://coderwall.com/p/0wgrwq/run-su-with-password-command-line-argument

Another option is the runuser command. Here is a link http://linuxcommand.org/man_pages/runuser1.html.

Yet another option is to run as a daemon with --user option, but it requires some work.

Sanjeev
  • 1,517
  • 1
  • 18
  • 30
  • Still, I think that is more the risk than the benefit. – Gi1ber7 Jun 28 '17 at 20:38
  • @Gi1ber7, the reason you'd want to avoid running forever, or other applications, as root is that you don't want them to have access to sensitive resources. You can accomplish that by running the process as another user. I don't see the risk. Can you elaborate? – Sanjeev Jun 28 '17 at 21:04