科技回声

8 条评论

ejdyksen超过 12 年前

Alternatively, you could grant the node binary the ability bind ports < 1024, using setcap (Linux only):<pre><code> sudo setcap 'cap_net_bind_service=+ep' /path/to/nodejs </code></pre> Then you don't have to ever run it as root (at least not for the purpose of binding to the right port).

评论 #4874152 未加载

评论 #4873654 未加载

评论 #4874136 未加载

评论 #4873649 未加载

评论 #4873727 未加载

wonnage超过 12 年前

It's probably a better idea to just run nginx on port 80 and proxy requests through in any sort of real environment. And if you're not in production...well, it doesn't really matter which port you choose anyway.

评论 #4873602 未加载

评论 #4873579 未加载

评论 #4874361 未加载

评论 #4873577 未加载

mappu超过 12 年前

Another technique is to launch the service via authbind, in your repositories. It's especially useful if you aren't able to recompile the target.<a href="http://en.wikipedia.org/wiki/Authbind" rel="nofollow">http://en.wikipedia.org/wiki/Authbind</a>

darklajid超过 12 年前

Looking at the snippet of code: Isn't that sample (probably) confusing group and user?<pre><code> process.setgid('tlhunter'); process.setuid('users'); </code></pre> I'd expect that 'users' is the group here and 'tlhunter' the user 'thomas l. hunter'?

评论 #4874042 未加载

sigil超过 12 年前

Alternatively, if you don't trust a large program with dropping root, you can factor out the binding and listening into a separate program. Then accepting and everything beyond can be done with normal privileges.Assuming a tcpserver-like program called tcplisten, this would look like<pre><code> sudo tcplisten 0.0.0.0 80 setuidgid nobody \ program-that-accepts-on-stdin </code></pre> FastCGI works similarly. Multiple workers can run underneath, calling accept(2) on stdin.A simple implementation of tcplisten:<a href="https://gist.github.com/4211098" rel="nofollow">https://gist.github.com/4211098</a>

olalonde超过 12 年前

I wrote a similar article a few weeks ago (<a href="http://syskall.com/dont-run-node-dot-js-as-root/" rel="nofollow">http://syskall.com/dont-run-node-dot-js-as-root/</a>) but have since then realized that changing the process' UID brings a lot of unexpected problems and a much simpler solution is to use a higher port and proxy via nginx. For example, if you initialize a logger before starting your HTTP server and changing the process UID, you will might create root owned files and eventually run into permission conflicts.

Hello71超过 12 年前

Not a good idea to hardcode the name of the "owner". Standard practice is to setuid/gid to 65535 (nobody).

评论 #4873783 未加载

jeremiep超过 12 年前

You could also create a unix socket and have node.js bind on it.

8 条评论

ejdyksen超过 12 年前

评论 #4874152 未加载

评论 #4873654 未加载

评论 #4874136 未加载

评论 #4873649 未加载

评论 #4873727 未加载

wonnage超过 12 年前

评论 #4873602 未加载

评论 #4873579 未加载

评论 #4874361 未加载

评论 #4873577 未加载

mappu超过 12 年前

darklajid超过 12 年前

评论 #4874042 未加载

sigil超过 12 年前

olalonde超过 12 年前

Hello71超过 12 年前

Not a good idea to hardcode the name of the "owner". Standard practice is to setuid/gid to 65535 (nobody).

评论 #4873783 未加载

jeremiep超过 12 年前

You could also create a unix socket and have node.js bind on it.

Drop Root Privileges in Node.js after Binding to Port 80

8 条评论

Drop Root Privileges in Node.js after Binding to Port 80

8 条评论