Thursday, 22 February 2024

Running a node.js server on a privileged port

 I needed to run a node.js server application with a listener on a privileged port (in this case port 80 because it was an HTTP proxy.)

Running a whole node application as root just so it can bind to a port lower than 1024 is overkill and turns any bug in node.js, imported modules, and your code into potential remote root security exploits. Not good.

Most server software designed to run on privileged ports (e.g. httpd) is designed to be initially run with root privileges to bind the port but will then drop those privileges once that is done and run as a dedicated system user with only the minimum set of permissions required to do its job.

Thanks to this serverfault answer, I learned about the authbind utility.

Install it (your Linux distro likely has a package available) and then touch, chown, and chmod the apropriate file in the `/etc/authbind/` folders. Read the manual page for all the options.

Sooo..... Assuming the desired app.js is running under non-privileged user "user" and you wish to bind to port 80: 
sudo touch /etc/authbind/byport/80
sudo chown user:user /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80

Then as "user", run your app like this:

authbind node app.js
  

at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Stop optical discs from automatically mounting in Ubuntu 25.10

 I was recently using MakeMKV to rip some old DVDs to watch using Jellyfin/Plex and ran into an issue where the drive seemed to be in conten...