What I did was a version of Peter Lyon's solution (I abbreviated "from several places", so it may not work, but the idea works):
var logger = new (winston.Logger)(); logger.add(winston.transports.Console, { timestamp: true }); // start server and downgrade user httpsServer.listen(443, function() { logger.info('Ready on port 443'); fs.stat(__filename, function(err, stats) { fs.chownSync('stdouterr.log',stats.uid,stats.gid); process.setgid(stats.gid); process.setuid(stats.uid); logger.add(winston.transports.File, { filename: 'mylogfile.log', handleExceptions: true }); logger.info('downgraded to non-root uid', {"uid":stats.uid}); }); });
When I successfully contacted port 443, I will write it down to say this. logger is a winston logger configured only with console output (which is redirected to the stdouterr.log file by running node using node app.js >> stdouterr.log 2>&1 ). Therefore, this log message only appears on stdouterr.log .
Then I consider the owner of the current file and chown stdouterr.log to belong to this user. Then I set the gid and uid of the current process (part of the privileges to delete).
Then I add registration to my winston logger to my file.
Finally, I can say that I lowered the user rating. This message appears in both stdouterr.log and mylogfile.log .
Not as pretty as I hoped (no file registration while the process runs as root), but this means that the log files are easily protected and managed.