I have set up a http server on node.js which listens to port 80. However, ports less than 1024 traditionally require elevated permissions. I therefore had to execute my server using sudo:
sudo nodejs httpserver.js
People say running a server as root is a big no no here and I should use other ports above 1024 and redirect them to 80 instead so that I don't have to be root to execute the script. But why? what are security vulnerabilities, what are the concerns?
If there's a vulnerability in your httpserver.js script such that an attacker can get the node.js process to run arbitrary code, then that arbitrary code will be running as root. And you have to assume that such vulnerabilities do exist.
Related
I am trying to get a NodeJs application to run on a Amazon Linux server using port 80. Currently when I run the app it is defaulting to port 1024. I understand that this is due to the fact that I have to be root to run on port 80 but given I am on a aws linux box I am not able to run that as root. I have been digging for awhile but I am coming up short on what I need to adjust to get this to run properly.
sudo bash will allow you to connect as root on your EC2 Amazon Linux instance.
I would question why do you want to run NodeJS on port 80, the best practice would have a load balancer in front of your instance to accept HTTPS calls and relay to whatever port nodejs will run on your instance, in a private subnet.
I would suggest to read this doc to learn how to do this : https://aws.amazon.com/getting-started/projects/deploy-nodejs-web-app/
I created a compute engine which has these network tags and firewall rules:
So if I understand this correctly, the machine is allowed to listen on port 80.
I installed node and created a really simple http server just to see if I can reach the box via http. Logged in via ssh on cloud console. When I try to start it (e.g. npm start to run the server), it says:
Error: listen EACCES: permission denied 0.0.0.0:80
Why? How to resolve?
I read somewhere that low port #s are usually restricted to root user, so I tried sudo it says sudo: npm: command not found and similar for sudo node.
Also why is that when you create a server using scripts like these, the article says they are executed as root? How does that happen and why am I not executing as root when I'm the one who booted up the machine and logged in as myself? Yes, my understanding of linux perms is very newbie.
Thanks...
In order to use TCP ports lower than 1024 you node server must run with root privileges. TCP ports 1024 and higher do not require privilege.
When you login to a Google Cloud Compute Engine instance, you are loggin in as a normal user. You do not have root privilege. To grant root privilege to a command, prefix it with sudo. Example: sudo mkdir /directoryname.
I do NOT recommend running node servers with root privilege. This opens a possibly serious security hole in your system. Search the Internet on this topic before deciding.
Your choices are:
Select a port above 1023. Common port numbers: 8000, 8080, 5000.
Start the node server with root privileges: sudo node hello.js
In regards to npm not being found. You will need to modify the environment's PATH variable to include the location of where you installed your node toolset for the user root.
I have deployed an Express application into EC2 instance but there is a weird problem. After SSH into the instance, If I start the server by
node server.js
it is not available through the browser;
If I start the server by
sudo node server.js
everything is ok.
Not suer why.
Ports less than 1024 are reserved for root, and thus require root permission.
My guess is that you are attempting to bind to ports 80/443, the default web ports. As such, this requires root permissions.
However, it is a bad idea to run your application as root, and so an alternative solution should be implemented.
sudo permission is required on low number port. you should use a proxy in front of your app; like nginx so that you can use low number port by redirect to your app's port.
I am using gorilla/mux package in golang, but there are some problems. The first is I have no permissions to use port 80 on my application becuase I cannot run the application from sudo as the $GOPATH is not set when using sudo.
Here is the error I get from my program:
$ go run app.go
2014/06/28 00:34:12 Listening...
2014/06/28 00:34:12 ListenAndServe: listen tcp :80: bind: permission denied
exit status 1
I am unsure if it will even work when I fix the sudo problem, because apache is already using port 80 and I am not sure if both my app and apache can "play nice" together.
Any advice on how to solve this would be great. Thank you.
Quoting elithar's comment,
You have two options: either turn off Apache (because only one service
can bind to a port), or (better!) use Apache's ProxyPass to proxy any
incoming requests to a specific Hostname to your Go server running on
port (e.g.) 8000. The second method is very popular, robust, and you
can use Apache to handle request logging and SSL for you.
Reverse Proxying
Using Apache on port 80 in this way is called a reverse proxy. It receives all incoming connections on port 80 (and/or port 443 for https) and passes them on, usually unencrypted, via internal localhost connections only, to your Go program running on whatever port you choose. 8000 and 8080 are often used. The traffic between Apache and your server is itself HTTP traffic.
Because your Go program does not run as root, it is unable to alter critical functions on the server. Therefore it gives an extra degree of security, should your program ever contain security flaws, because any attacker would gain only limited access.
FastCGI
You can improve the overall performance of the reverse proxying by not using HTTP for the connection from Apache to the Go server. This is done via the FastCGI protocol, originally developed for shell, Perl and PHP scripts, but working well with Go too. To use this, you have to modify your Go server to listen using the fcgi API. Apache FastCGI is also required. The traffic from Apache to your server uses a more compact format (not HTTP) and this puts less load on each end.
The choice of socket type is also open: instead of the usual TCP sockets, it is possible to use Unix sockets, which reduce the processing load even further. I haven't done this in Go myself, but the API supports the necessary bits (see a related question).
Nginx
Whilst all the above describes using Apache, there are other server products that can provide a reverse proxy too. The most notable is Nginx (Nginx reverse proxy example), which will give you small but useful performance and scalability advantages. If you have this option on your servers, it is worth the effort to learn and deploy.
Based on this previous answer about environment variables, I was able to solve the sudo problem easily.
https://stackoverflow.com/a/8636711/2576956
sudo visudo
added these lines:
Defaults env_keep +="GOPATH"
Defaults env_keep +="GOROOT"
Using ubuntu 12.04 by the way. I think the previous answer about the proxy for using port 80 is the correct choice, because after fixing the sudo issue I was given this error about port 80 instead:
$ sudo go run app.go
2014/06/28 01:26:30 Listening...
2014/06/28 01:26:30 ListenAndServe: listen tcp :80: bind: address already in use
exit status 1
Meaning the sudo command was fixed but the proxy binding would not work with another service already using port 80 (apache).
I'm a Linux beginner and have a Linux Ubuntu 12.04 server. I've installed node.js and created a webserver script. That works fine, but it runs as root user.
I know that's not good (root-user & webserver = unsafe).
How can I run the webserver script as an non-root user? Does somebody know a good detailed tutorial or can give me some advice?
You have two options:
Listen on port 80
Run as root, start your app's listen() on port 80 and them immediately drop to non-root. This is what Apache does, for example. Not recommended since it's easy to get this wrong, and lots of other details (writing to log files, initialization required before you can listen, etc.). Not standard practice in node.
Listen on port >=1024*
Run as non-root, listen on a port >= 1024 (say: 8000, or 8080), and have someone else listen on port 80 and relay port 80 traffic to you. That someone else can be:
A load-balancer, NAT, proxy, etc. (Maybe an EC2 load balancer if you're running on EC2, e.g.)
Another http server, say Apache httpd or ngnix.
For an ngnix example, see this: Node.js + Nginx - What now?
you can just run node hello.js