File Access Permissions and Security of Node.js apps on Linux
1,495 views
Skip to first unread message
Aaron Gray
Jan 3, 2016, 5:53:43 PM1/3/16
to nod...@googlegroups.com
Hi,
A friend asked me a question I was very embarrassed not to be able to
answer. Basically he could not find any information on both deploying
Node.js app in regard to setting file permissions and on protecting
the filing system from Node.js applications. There seems to be no
guides to these matters.
So I would be interested if there is anything available regarding these matters.
Many thanks in advance,
Aaron
A friend asked me a question I was very embarrassed not to be able to
answer. Basically he could not find any information on both deploying
Node.js app in regard to setting file permissions and on protecting
the filing system from Node.js applications. There seems to be no
guides to these matters.
So I would be interested if there is anything available regarding these matters.
Many thanks in advance,
Aaron
Robert Zehnder
Jan 4, 2016, 5:25:07 PM1/4/16
to nodejs
I would handle it the way any other server application would be deployed (ie, Tomcat, Nginx, Apache). I would say start the process with a restricted user (running any server process as root is bad). So in this case perhaps create a new user for the app to use and ensure that user has read access and write access to the project directory as required.
Zlatko
Jan 4, 2016, 5:25:07 PM1/4/16
to nodejs
Well, it should be no different then with other runtimes, like Rails or maybe a PHP app.
`node` is a binary file, and when you run it, you run it as a certain user. This user can access some files on the system, and is blocked to others. Likewise, other users can access certain files owned by this user, or can be blocked from others. Typical program like any other.
If you want to isolate a Node app on a, say, typical linux system, you would run the Node runtime with a separate user, created just for the app. You would protect it's home directory (or wherever the app is served from) so that only that user (and possibly autodeployment etc scripts) can access it. If you want to protect other places on the system, do not let your app user (or node user) access to that folder.
But those are simple use cases. Seemingly more complex solution would be if you "dockerize" your app - put it in the docker container. The app is then, well, contained. Permissions are much more restrictive, depending on your setup. And you get other benefits - streamlining deployments, testing etc.
The best part of dockerizing a node app is that it's super simple. You learn it in one afternoon, you practice maybe a week and you are good - new skill acquired, new levels of complexity that actually simplifies stuff for you reached, new options open. And it's applicable to more then just node, you can then dockerize other stuff too - database/cashing systems, file systems, nginx and whatnot.
Take a look at one of the tutorials available online and see how it goes.
Tim Kuijsten
Jan 5, 2016, 1:17:55 AM1/5/16
to nod...@googlegroups.com
Op 04-01-16 om 21:58 schreef Robert Zehnder:
good way to sandbox your application (in combination with
child_process.fork).
-Tim
> I would handle it the way any other server application would be deployed
> (ie, Tomcat, Nginx, Apache). I would say start the process with a
> restricted user (running any server process as root i*s bad*). So in
> (ie, Tomcat, Nginx, Apache). I would say start the process with a
> this case perhaps create a new user for the app to use and ensure that
> user has read access and write access to the project directory as required.
Additionally, the chroot npm does some checking of permissions and is a
> user has read access and write access to the project directory as required.
good way to sandbox your application (in combination with
child_process.fork).
-Tim
Reply all
Reply to author
Forward
0 new messages