使用 sudo 从 Node.js 运行命令
[英]Running command from Node.js with sudo
问题描述
Being new to Node.js, I have this question..
作为 Node.js 的新手,我有这个问题..
I see it mentioned in a few places that node should not be run as root, such as this .我在几个地方看到它提到 node 不应该以 root 身份运行,例如this 。 I am just using node to set up a simple web service and executing a python script which requires root access.我只是使用 node 来设置一个简单的Web 服务并执行一个需要 root 访问权限的 python 脚本。 I just don't understand where the danger lies, as in what could the hacker do.我只是不明白其中的危险在于,在什么可能的黑客做。
My node.js file is something like this:-我的 node.js 文件是这样的:-
var http = require('http');
var express = require('express');
var app = express();
app.use(express['static'](__dirname));
app.get('/alert', function(req, res) {
var addr = req.query.addr;
//~ need to check if it is a valid address??
console.log('Received addr -' + addr);
var spawn = require('child_process').spawn;
var process = spawn('python', ['custom-text-led/custom-text.py', addr]);
process.stdout.on('data', function(data) {
console.log('Data:' + data);
});
})
app.get('*', function(req, res) {
res.status(404).send('Unrecognized API call');
});
app.use(function(err, req, res, next) {
if (req.xhr) {
res.status(500).send('Opps, something went wrong');
} else {
next(err);
}
});
app.listen(3000);
console.log('App server running at port 3000');
3 个解决方案
解决方案1
1 2016-09-30 07:30:36
The hacker could do anything if there is any security issues.如果有任何安全问题,黑客可以做任何事情。 You could give the user witch runs the web server the permission to do the task your task is intending to do.您可以授予运行 Web 服务器的用户执行您的任务打算执行的任务的权限。
In general try to avoid root whenever you can (put the tinfoil hat on).一般来说,尽可能避免root(戴上锡纸帽)。
解决方案2
1 2020-02-14 12:36:35
According to this post from superuser of StackExchange platform, you can pipe the password to other sudo commands, like this:根据StackExchange平台superuser的这篇文章,您可以将password通过管道传递给其他sudo命令,如下所示:
echo <password> | sudo -S <command>
and according to this StackOverflow post, you can pipe commands in spawn like this:根据这个StackOverflow帖子,您可以像这样在spawn管道命令:
child.spawn('sh', args)
var args = ['-c', <the entire command you want to run as a string>];
After some hours struggling I found the solution.经过几个小时的努力,我找到了解决方案。 To wrap it all up, your answer would be something like:总而言之,您的答案将类似于:
import { spawn } from "child_process";
const process = spawn("sh", ["-c", "sudo -K << <password> <the entire command you want to run with sudo>"]);
I hope it would help you and others like me.我希望它能帮助你和其他像我一样的人。
解决方案3
0 2020-08-25 21:45:41
Building on MajidJafari's work (which unfortunately did not work for me as he typed it) I was able to come up with something that works, albeit very convoluted.以 MajidJafari 的工作为基础(不幸的是,他打字时对我不起作用)我能够想出一些有用的东西,尽管非常复杂。
const process = spawn("sh", ["-c", "echo <password used for sudo user> | sudo -S bash -c '<enter command or multiple commands separated by && here>'"]);
All the commands encased within the set single parenthesis ' ' will be run as sudo.包含在设置的单括号“ ”中的所有命令都将作为 sudo 运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.