https.request error within chroot jailed node process

151 views
Skip to first unread message

kuhnza

unread,
Sep 11, 2012, 3:47:29 PM9/11/12
to nod...@googlegroups.com
I'm getting the following error when calling https.request in my node script: 
nodejs: ../src/node_crypto.cc:752: void node::crypto::Connection::ClearError(): Assertion `handle_->Get(String::New("error"))->BooleanValue() == false' failed.

The node process is running inside a chroot on Ubuntu. I built the chroot using jailtool and as far as I can tell node should have all the necessary dependencies available to it. The way I checked was to run apt-rdepends nodejs and made sure that all the libs were inside the jail. The jail also has access to /dev/null and /dev/random.

Besides https everything else seems to be running fine. I can make http calls no problem and the rest of my code runs without error.

Running the same script outside the jail works.

What am I missing?

kuhnza

unread,
Sep 11, 2012, 3:51:12 PM9/11/12
to nod...@googlegroups.com
Oh I forgot to mention I'm running Node v0.8.8 on Ubuntu 12.04.1 in case that helps.

Dav Glass

unread,
Sep 11, 2012, 4:24:37 PM9/11/12
to nod...@googlegroups.com
Check to make sure that all of ssl's libs and all of it's certs are
available inside the chroot too.
I'm pretty sure they are loaded from /etc/ssl/certs/, so if that's not
accessible from the chroot the request will likely fail.

I seem to recall hitting this a while back, but it's been a while so I
may be wrong.

Dav

--
Dav Glass
davg...@gmail.com
blog.davglass.com


+ Windows: n. - The most successful computer virus, ever. +
+ A computer without a Microsoft operating system is like a dog
without bricks tied to its head +
+ A Microsoft Certified Systems Engineer is to computing what a
McDonalds Certified Food Specialist is to fine cuisine +
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+un...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en

kuhnza

unread,
Sep 11, 2012, 4:43:14 PM9/11/12
to nod...@googlegroups.com
Thanks Dav, the certs were missing from the chroot environment so I've copied them in now. Unfortunately I'm still getting the error though.

Pretty sure all the required libs are there. I ran apt-rdepends on openssl and nodejs to be sure all those deps made it in there.

Dave

Ben Noordhuis

unread,
Sep 11, 2012, 8:34:22 PM9/11/12
to nod...@googlegroups.com
Is your node binary installed from a repo? What happens if you compile
from (upstream) source?

kuhnza

unread,
Sep 12, 2012, 2:55:18 PM9/12/12
to nod...@googlegroups.com
Thanks for the suggestion Ben. 

Jailtool does install from a repo, though it doesn't do automatic dependency resolution. You have to specify them yourself which is a pain and pretty error prone. I think the issue was that while I'd specified all the nodejs deb package dependencies I'd forgotten the python-software-properties one which includes a lot of crypto libs.

In the end I solved it late yesterday using debootstrap and schroot which gave me access to the package manager. From there I simply installed node as per the Ubuntu instructions on the node JS wiki. It's not quite as minimal an environment as I'd originally hoped, but it's easier to maintain and still reasonably secure.

Along the way I also created a small program to help with the actual jailing of processes. We're using this in conjunction with child_process.spawn to safely execute untrusted code from our parent node HTTP server. I've open sourced it here: https://github.com/Hubify/jailor. Enjoy!

Dave
Reply all
Reply to author
Forward
0 new messages