运行时Node.JS切换用户
[英]Node.JS switch user while running
问题描述
Is it possible for a Node.JS program that is running as root, to downgrade its authority while it is running? 
以root身份运行的Node.JS程序是否有可能在运行时降级其权限? This would be one of the first things it does, and the purpose is of course to limit possible damage it could cause, in the unlikely event that there is a vulnerability, or mis-trusted code that runs in this process. 这将是它首先要做的事情之一,目的当然是要限制它可能造成的损坏,以防万一发生漏洞或在此过程中运行的不可信代码。
Alternatively, is there a way for Node.JS process that is running as root, to start a separate process which is non-root? 另外,是否有一种方法可以让以root用户身份运行的Node.JS进程启动一个非root用户的单独进程? (preferably without adding a layer in between, such as sudo) (最好不要在两者之间添加任何层,例如sudo)
3 个解决方案
解决方案1
4 2012-11-06 21:49:15
解决方案2
2 2012-11-06 21:51:33
是的,使用process.setuid(id)和process.setguid(id)更改当前进程的有效用户/组ID。
解决方案3
0 2012-11-06 21:56:57
@mabako's answer looks great, but there should be operating system tricks that are easier. @mabako的答案看起来不错,但应该有一些更容易的操作系统技巧。
What I've seen people do a lot with node is to either 我见过人们在节点上做的很多
Add the user that runs the node code to the
www-datagroup to allow it to bind to privileged ports.将运行节点代码的用户添加到www-data组,以使其绑定到特权端口。ex: http://kvz.io/blog/2009/12/15/run-nodejs-as-a-service-on-ubuntu-karmic/
例如: http : //kvz.io/blog/2009/12/15/run-nodejs-as-a-service-on-ubuntu-karmic/ Use iptables to redirect privileged ports to an unprivileged node program, which listens on a high port.
使用iptables将特权端口重定向到在高端口上侦听的非特权节点程序。 iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000
Do you have any non-port-binding reasons to run a node server as root? 您是否有任何非端口绑定的原因以root用户身份运行节点服务器?
EDIT: More tricks here: Is there a way for non-root processes to bind to "privileged" ports on Linux? 编辑:这里的更多技巧: 是否有一种方法可以将非根进程绑定到Linux上的“特权”端口?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.