I have installed "node.js" on a shared server. I have rename the directory so that it can not be found easily. Also I have my node directory in a location above /public_html.
I have also installed node on my PC for programming and testing easy on my local system vrs my web server.
What I would like to know is does this create a security risk where someone could hack my sites if they knew where my node installation files exist?
I have not added the path to my bash, so the commands have to be executed manually by using the ~ representing home, and the path. Such as:
~/pathtodir/bin/npm -v
Related
I managed to install STS 3.8.2 on Ubuntu 16.04 - with a lot of hacking experiments. I have it working, but I am not happy with my solution.
Here is what I had to do:
Extracted the tar file into /opt/sts-bundle.
If you put it anywhere else, like /opt/sts, the TC server fails to start from STS.
With files in /opt/sts-bundle, TC server still fails to start from STS - permission errors. To get it to work you need to futz around with permissions of the pivotal-c-server subdirectories, essentially you need to open it up your group (the same one running STS) (security hole ?).
A local install in your own ~/sts-bundle fails on "files not found" while attempting to backup - all the conf files. It still looks in /opt/sts-bundle for all these config files (just to copy them to /backup). You can change the top directory of the server in STS server properties - but it still looks in /opt/sts-bundle. Seems hard-coded - don't know where. So you have to create all the config files in the conf directory in the tree rooted at /opt/sts-bundle ("touch" works - creating empty files). TC Server still fails to start with a "failed to clean" error - with no clue from the detailed message what files are being "cleaned".
I tried creating a non-privileged user "tcserver" per suggestion from the Pivotal TC Server docs. I installed to /opt/sts-bundle, while logged in as tcserver (with sudo privileges). That fails when I am using STS as a regular developer that is not "tcserver". Could not figure out how to tell TC server to run under a different user than the one that started STS.
The solution I have working and I am not happy with, starts by extracting the tar.gz file into /opt/sts-bundle, as it wants. Then changing owner and group of sts-bundle to my id and my group (same ones that are used in STS UI). I am not happy with that. It seems wrong to put things in /opt that are owned by a single developer.
I am new to Linux, and I still have some Windows habits that need to be unlearned.
The question is: how do I get the clean solution (installing using a "tcserver" user in the global /opt directory) to work for developers who are not "tcserver"? How should the tcserver user be related to the developers (same group?).
Am I making this problem harder than it should be? What am I missing?
I'm not sure this what you want, but I don't install the STS bundles in some kind of shared directory as a special user at all. I just install it in my user.home dir, as myself, and launch it from there.
It is very unsophisticated. I just download the tar.gz file, unpack it in my home dir and then launch it from a trivial bash script which looks something like this:
#!/bin/bash
/home/kdvolder/Applications/sts-bundle/sts-*/STS
That script is on my PATH. So I can just type 'STS' in a terminal and STS will start.
I don't have to do anything else and it works.
If you are trying to somehow install this so that several different users can run a shared installation then this isn't a good setup. But I think for your own personal laptop or desktop which only you are using, this simple setup is perfectly fine.
For a shared-user env, unfortunately, I don't know how to help you. It could be complicated to sort out all the permissions issues etc because Eclipse is a complicated beast w.r.t to installation of plugins etc.
I've been looking around for the best/most appropriate way to install node.js/npm in such a way that using commands like npm install -g bower does not require sudo, as using sudo for such a command can cause issues later on. Initially I followed this answer: Installing with nvm but this installs it into the users home directory which I read may not be a good a idea in production to have node installed in your home directory so I followed an expansion on above tutorial with this: Installing with NVM (digital ocean) however this left me still requiring sudo.
On a side note - on my macbook I installed node with homebrew, is this a good idea or is there a more standard approach.
Thanks for all your help, feel free to ask for clarifications.
I forgot to say, the machine I am planning on installing this on is running XUbuntu 14.04. (also I have my macbook running mavericks - but this is just an addition)
Sudo gives you permissions to change/add/remove files not owned by your user. Those files are as a rule everything except /home/YOU (in MacOS: /Users/YOU)
Your desire is to have Node installed as appropriate (system wide, rather than your home directory), that is good. And as you guessed you need sudo to initially install it on a system path.
But then you wish to have modules installed without sudo, meaning you want modules to be located in a directory, where your user has write access to. That would be available by default if Node was installed in your home.
To enforce your wish on a system path, you will need to give write permission to the folder where modules are located, that is change write permissions or ownership of:
/usr/local/share/npm/lib/node_modules, so that modules can be saved on your disk.
/usr/local/share/npm/bin, to allow modules executables be reachable.
You might have to alter few other folders as well.
That answers your question, but I strongly recommend you not doing so. Instead I suggest you stick to default methodologies. Everyone here without doubt will say it is absolutely safe approach to use sudo when you are installing modules globally, it is even safer to not have write permissions to global infrastructure of your install without super privileges.
I have a Python application that is currently installed following Linux Filesystem Standard Hierarchy (FHS). It is installed in:
/usr/bin/ (executable)
/usr/lib/python2.x/site-packages/{appname}/ (Python libs)
/etc/{appname}/ (conf files)
/usr/share/man/ (manual files)
Now, it is desired that a non-root user installing this application could install it without root powers and that only this user could run the app. We thought the best would be to install the app in user home directory.
We already have a .{appname} directory in user home to keep per-user configuration files, as the app installed configuration files in /etc.
I think that using the .{appname} dir to keep all application files is not a good idea, as directories pre-appended with . only keeps configuration files. Probably I'll remove the .{appname} dir, as the entire application will be installed per-user now.
2 ideas:
Create a {appname} dir and create subdirs bin, etc, lib and share/man.
Replicate Linux FHS under home and create a {app-name} subdir under lib and etc
~/bin/
~/lib/{appname}
~/share/man/
~/etc/{appname}
Which one of these is more often used and more recommended? Pros and cons of each alternative are welcome. Maybe a third option?
I've seen people recommend /home/usr/bin and /home/usr/local/bin, but I don't understand the need to include the usr here as there is no need to differentiate between essential and non-essential binaries/libraries. I'd prefer to be minimalist.
Thanks in advance.
The first option is the most common. A third option is to create (or fill out) the structure under ~/.local/ (which reflects /usr) that is already used by a number of applications for share/.
This question already has answers here:
How to make exe files from a node.js app?
(20 answers)
Closed 7 years ago.
Supposed I have written a Node.js application, and I now would like to distribute it. Of course, I want to make it easy for the user, hence I do not want him to install Node.js, run npm install and then manually type node app.js.
What I'd prefer was a single executable file, e.g. an .exe file on Windows.
How could I approach this?
I am aware of this thread, anyway this is only about Windows. How could I achieve this in a platform-independent manner? Any ideas? Best practices? ...?
The perfect solution was a "compiler" I can give a source folder to. The source folder contains the app itself in various .js files, the node_modules folder and some metadata, such as the package.json. The output should be binaries for various platforms, such as Windows, OS X and Linux.
Oh, and what's important: I do not want to make any changes to the source code, so calls to require with relative paths should still work, even if this relative path is now inside the packaged app.
Any ideas?
PS: I do not want the user to install Node.js independently, it should be included inside the executable as well.
Meanwhile I have found the (for me) perfect solution: nexe, which creates a single executable from a Node.js application including all of its modules.
It's the next best thing to an ideal solution.
First, we're talking about packaging a Node.js app for workshops, demos, etc. where it can be handy to have an app "just running" without the need for the end user to care about installation and dependencies.
You can try the following setup:
Get your apps source code
npm install all dependencies (via package.json) to the local node_modules directory. It is important to perform this step on each platform you want to support separately, in case of binary dependencies.
Copy the Node.js binary – node.exe on Windows, (probably) /usr/local/bin/node on OS X/Linux to your project's root folder. On OS X/Linux you can find the location of the Node.js binary with which node.
For Windows:
Create a self extracting archive, 7zip_extra supports a way to execute a command right after extraction, see: http://www.msfn.org/board/topic/39048-how-to-make-a-7-zip-switchless-installer/.
For OS X/Linux:
You can use tools like makeself or unzipsfx (I don't know if this is compiled with CHEAP_SFX_AUTORUN defined by default).
These tools will extract the archive to a temporary directory, execute the given command (e.g. node app.js) and remove all files when finished.
Not to beat a dead horse, but the solution you're describing sounds a lot like Node-Webkit.
From the Git Page:
node-webkit is an app runtime based on Chromium and node.js. You can write native apps in HTML and JavaScript with node-webkit. It also lets you call Node.js modules directly from the DOM and enables a new way of writing native applications with all Web technologies.
These instructions specifically detail the creation of a single file app that a user can execute, and this portion describes the external dependencies.
I'm not sure if it's the exact solution, but it seems pretty close.
Hope it helps!
JXcore will allow you to turn any nodejs application into a single executable, including all dependencies, in either Windows, Linux, or Mac OS X.
Here is a link to the installer:
https://github.com/jxcore/jxcore-release
And here is a link to how to set it up:
http://jxcore.com/turn-node-applications-into-executables/
It is very easy to use and I have tested it in both Windows 8.1 and Ubuntu 14.04.
FYI: JXcore is a fork of NodeJS so it is 100% NodeJS compatible, with some extra features.
In addition to nexe, browserify can be used to bundle up all your dependencies as a single .js file. This does not bundle the actual node executable, just handles the javascript side. It too does not handle native modules. The command line options for pure node compilation would be browserify --output bundle.js --bare --dg false input.js.
There are a number of steps you have to go through to create an installer and it varies for each Operating System. For Example:
on Mac OS X you need to create a .pkg, there are instructions on how to do that here: https://coolaj86.com/articles/how-to-create-an-osx-pkg-installer.html
on Ubuntu Linux you need to create a .deb, there are instruction on how to do that here: https://coolaj86.com/articles/how-to-create-a-debian-installer.html
on Microsoft Windows you need to create a .exe or .msi, there are instruction on how do that using the innosetup installer here: https://coolaj86.com/articles/how-to-create-an-innosetup-installer.html
You could create a git repo and setup a link to the node git repo as a dependency. Then any user who clones the repo could also install node.
#git submodule [--quiet] add [-b branch] [-f|--force]
git submodule add /var/Node-repo.git common
You could easily package a script up to automatically clone the git repo you have hosted somewhere and "install" from one that one script file.
#!/bin/sh
#clone git repo
git clone your-repo.git
I have a problem when installing npm modules. NodeJS is installed on Ubuntu 11.10 running on Virtual Box on Windows host. My project files are on NTFS partition (I have to share them with windows). When I try to install some npm module I get an error, and module is not installed. I've found out that problem occurs when npm tries to create symbolic links.
Probably you can not create symlinks on NTFS partition, when I'm installing module "inside" Linux file system, everything works fine.
How can I fix this? I don't want to resolve dependencies manually :/
Since version 1.2.21, npm has a new option for the install command. --no-bin-links
You can use if for installing a specific node module
npm install express --no-bin-links
and also for a package.json install
npm install --no-bin-links
With this option I've been able to install many npm modules without problems in my shared forlder inside the VM (Ubuntu guest, Windows Host)
The commit where the option was added to the npm code is b4c58617039c21c10889a9869f8e86a23e17d3a0
Try this - http://ahtik.com/blog/2012/08/16/fixing-your-virtualbox-shared-folder-symlink-error/
Works for me!
Basically you set a parameter
VBoxManage setextradata YOURVMNAME VBoxInternal2/SharedFoldersEnableSymlinksCreate/YOURSHAREFOLDERNAME 1
And then run the VM as an administrator....
The Symlink permissions, or the --no-bin-links didn't work for us. Instead we opted to move our node_modules away from the /vagrant share. We created a symlink from /vagrant/node_modules to /tmp/node_modules. You can only do this if your node_modules is not in version control. Check this first!
Also see http://kmile.nl/post/73956428426/npm-vagrant-and-symlinks-on-windows
I am pretty certain symlinks can't be created on the shared drive ("shared folder"). Even more impossible with a Windows host machine and a Linux guest.
The host machines are not aware of the filesystem of the guests. A guest machine is a blackbox for the host. You can't say to the host "Well this links to /etc/..." when the host doesn't know where this /etc is :).
So in short: unfortunately no.
In some more detail:
I would be really happy if I am wrong! It is a major pain in my development process.
I tried so many options. By default the filesystem that the "shared folders" use is vboxsf, something if not the same as samba (default network sharing protocol for windows) so:
I tried using native Windows network sharing and then mounting the network drive in the guest as the guest and host are on the same network. The problem was still there.
I tried running a NFS server on windows (Hanewin NFS Server) along with SFU/SUA (Windows Services for UNIX) but this has problems with GIT locks. Probably other problems as well - it was a while ago and I don't clearly remember
I tried the reverse: sharing a directory on the virtual machine to windows. But that is stupid as all the files will be on the virtual box and is reaally slow to access on windows
I was being stupid and I though "well let's mount a virtual drive on both windows and linux" - don't try this, corrupts the virtual disk. Something I should have known.
There might be a network sharing protocol other than samba and nfs which will perhaps copy the files whenever "symlink" creation is attempted? I don't know really.
However I haven't found one yet and also "locking" seems to to be a task of the file-system itself so I doubt any network protocol (unless having a dedicated registry of some sort for locks) can do this.
For anyone still having this problem after trying npm install --no-bin-links.
I wasn't able to get any of the above solutions to work when I came across a similar issue running npm install on a Laravel Homestead Vagrant box on a Windows 7 host using VirtualBox. The guest box has a mapped directory to the Windows file system.
The problem was causing various error messages and failed package installations. The one that is most relevant to the question was npm ERR! UNKNOWN, symlink '<some filename>'.
To fix this, I was able to successfully run npm install on the Git bash command line on Windows rather than bash on the guest Linux.
To do this, you will need to install Git for Windows and NodeJS (both on your Windows box).
e.g.
Install Chocolatey https://chocolatey.org/
choco install nodejs.install
choco install git.install
Run C:\Program Files (x86)\Git\Git Bash.vbs
In the Git Bash command line, change directory to the location of your package.json file e.g. cd /c/projects/projectname
Run npm install
Everything appears to install successfully.
If you don't use native modules (compiled from C/C++) you can just use npm on your Ubuntu VM and copy the node_modules folder to you windows drive.
fsutil behavior set SymlinkEvaluation L2L:1 R2R:1 L2R:1 R2L:1
this command enables symlinks on windows. for a better explanation to the cryptic commands at the end visit: How do I overcome the "The symbolic link cannot be followed because its type is disabled." error when getting the target of a symbolic link on Server 2008?
in summary
The behavior codes for fsutil behavior set SymlinkEvaluation - namely L2L, L2R, R2L, and R2R - mean the following:
L stands for "Local", and R for "Remote" (who would've thunk?)
The FIRST L or R - before the 2 - refers to the location of the link itself (as opposed to its target) relative to the machine ACCESSING the link.
The SECOND L or R - after the 2 - refers to the location of the link's target relative to the machine where the LINK itself is located.