Architecture question : executing root commands from node server

37 views
Skip to first unread message

Pi HomeServer

unread,
Apr 11, 2015, 4:01:14 PM4/11/15
to nod...@googlegroups.com
Hello,

I want to build a web interface over a NodeJS server. One of the purpose of the interface is to be able to control the Linux PC where the server is running. For example : update (via apt-get for example), reboot, install packages, etc.
I think about 2 ways to do that : 
  • Running the server as root
  • Executing commands via a shell executed with the uid/gid of root
To be honest both sounds for me as unsecured but i don't see how to go over that.

Users of the web interface will have to log in (i use PassportJS with a SQLite database) before getting the access to the part of the site where you can execute commands that require root privilege.
I also work to add a SSL support on the server.

Any advices to implement this function without opening all doors ?

Thanks !
Chris

Daniel Rinehart

unread,
Apr 11, 2015, 6:15:42 PM4/11/15
to nodejs
As you've already mentioned opening up these types of operations to a web server is a big security risk. That said I'd look into using sudoers to restrict the commands that require elevated privileges to be run and be sure to use aggressive sanitizing of any user input.


--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.
To post to this group, send email to nod...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/7fd7ff53-d362-4ea2-8728-1d9af031e809%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Pi HomeServer

unread,
Apr 12, 2015, 3:27:13 PM4/12/15
to nod...@googlegroups.com
Thanks Daniel

I think that i will put nodes user in the sudo list, restrict commands list allowed with the sudo file and create some scripts on the server to not allow users to send custom commands
I will have a look how to sanitize commands

Chris
Reply all
Reply to author
Forward
0 new messages