I created a compute engine which has these network tags and firewall rules:
So if I understand this correctly, the machine is allowed to listen on port 80.
I installed node and created a really simple http server just to see if I can reach the box via http. Logged in via ssh on cloud console. When I try to start it (e.g. npm start to run the server), it says:
Error: listen EACCES: permission denied 0.0.0.0:80
Why? How to resolve?
I read somewhere that low port #s are usually restricted to root user, so I tried sudo it says sudo: npm: command not found and similar for sudo node.
Also why is that when you create a server using scripts like these, the article says they are executed as root? How does that happen and why am I not executing as root when I'm the one who booted up the machine and logged in as myself? Yes, my understanding of linux perms is very newbie.
Thanks...
In order to use TCP ports lower than 1024 you node server must run with root privileges. TCP ports 1024 and higher do not require privilege.
When you login to a Google Cloud Compute Engine instance, you are loggin in as a normal user. You do not have root privilege. To grant root privilege to a command, prefix it with sudo. Example: sudo mkdir /directoryname.
I do NOT recommend running node servers with root privilege. This opens a possibly serious security hole in your system. Search the Internet on this topic before deciding.
Your choices are:
Select a port above 1023. Common port numbers: 8000, 8080, 5000.
Start the node server with root privileges: sudo node hello.js
In regards to npm not being found. You will need to modify the environment's PATH variable to include the location of where you installed your node toolset for the user root.
Related
I have an app set to listen to port 66.
First I tried to run it with sudo node myapp.js . I was able to access it at the correct url (ip:66). Then I stopped the app (Ctrl+c) and started it with pm2, sudo pm2 start app.js. The status is online. However, that same url is now inaccessible.
Running sudo pm2 logs while the app is started with pm2 gives me the error EACCESS for port 66. No one else is running the app, and I am sure I am only using one console and killing the node service before starting it with pm2.
Pm2 was installed globally. Server is Debian stretch. Nodejs version is 8.x
I am logging as a normal user and using sudo to run the app.
on linux systems normal users are not allowed to listen to ports below 1024. There are several ways around this.
You can change this rule to allow non root users to open such ports. But this is a security risc and is not recommended. So i won't add a link to this solution.
you can also listen to a port that is greater than 1024 and then use a forward rule in your firewall to route port 66 to the port you opened.
https://www.systutorials.com/816/port-forwarding-using-iptables/
my (and pm2's) prefered solution is to listen to a port greater than 1024 and use a reverse proxy like nginx to route apps running on that server.
http://pm2.keymetrics.io/docs/tutorials/pm2-nginx-production-setup
I have deployed an Express application into EC2 instance but there is a weird problem. After SSH into the instance, If I start the server by
node server.js
it is not available through the browser;
If I start the server by
sudo node server.js
everything is ok.
Not suer why.
Ports less than 1024 are reserved for root, and thus require root permission.
My guess is that you are attempting to bind to ports 80/443, the default web ports. As such, this requires root permissions.
However, it is a bad idea to run your application as root, and so an alternative solution should be implemented.
sudo permission is required on low number port. you should use a proxy in front of your app; like nginx so that you can use low number port by redirect to your app's port.
I started a new SSH daemon with a config file with a non-standard port number. Now if I start the SSHD as sudo I can SSH onto the host but if i start as a different system account, the daemon starts but the connections fail. Does the SSHD always need to be started as root ?
I made sure the SSHD is running, it just doesnt accept connections.
It is not practical to run sshd as non-root. sshd needs root privileges for
password authentication (only root can access /etc/shadow)
binding to a port that is below 1024
calling setuid() in order to obtain the privileges of the user that has connected
If you use an unprivileged port and key-based only auth, you may be able to make it work, but you'll be restricted to connections with the user that is running sshd.
There is a relevant discussion here: http://seclists.org/basics/2003/Aug/564
Which port did you use? Ports below 1024 are privileged to Root only.
In open source project,project open, I'm trying to run the server on port 80 for http and 443 for https which gave an error
[-nssock:driver-] Error: nssock: failed to listen on 0.0.0.0:80: Permission denied
and also is there anything else required to enable https port(like certification,etc)
Are there any other applications which already used the port 80? run below command to find out what applicaiton use the resource
netstat -an |grep "\.80 "
lsof -i:80
Probably you are trying to run AolServer as non-root user, but AolServer is configured to use "privileged" ports 80 and 443 (ports below 1024 are "privileged").
You may either configure your system to allow non-root process to bind to "privileged" ports, or just run AolServer as root. For the first approach also check discussion of the capabilities system.
I have set up a http server on node.js which listens to port 80. However, ports less than 1024 traditionally require elevated permissions. I therefore had to execute my server using sudo:
sudo nodejs httpserver.js
People say running a server as root is a big no no here and I should use other ports above 1024 and redirect them to 80 instead so that I don't have to be root to execute the script. But why? what are security vulnerabilities, what are the concerns?
If there's a vulnerability in your httpserver.js script such that an attacker can get the node.js process to run arbitrary code, then that arbitrary code will be running as root. And you have to assume that such vulnerabilities do exist.