Thursday, 22 February 2024

Running a node.js server on a privileged port

 I needed to run a node.js server application with a listener on a privileged port (in this case port 80 because it was an HTTP proxy.)

Running a whole node application as root just so it can bind to a port lower than 1024 is overkill and turns any bug in node.js, imported modules, and your code into potential remote root security exploits. Not good.

Most server software designed to run on privileged ports (e.g. httpd) is designed to be initially run with root privileges to bind the port but will then drop those privileges once that is done and run as a dedicated system user with only the minimum set of permissions required to do its job.

Thanks to this serverfault answer, I learned about the authbind utility.

Install it (your Linux distro likely has a package available) and then touch, chown, and chmod the apropriate file in the `/etc/authbind/` folders. Read the manual page for all the options.

Sooo..... Assuming the desired app.js is running under non-privileged user "user" and you wish to bind to port 80: 
sudo touch /etc/authbind/byport/80
sudo chown user:user /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80

Then as "user", run your app like this:

authbind node app.js
  

at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Modern Ubuntu web kiosk using chromium as the browser engine

 I have been working to prepare a digital atlas exhibit for the Natillik Heritage Centre in Gjoa Haven, Nunavut, Canada. Working with Indig...