Geek Answers Handbook

In node.js, how will I follow the Least Privilege Principle?

Imagine a web application that performs two main functions:

  • Serves data from a file that requires the above privileges to read from
  • Serves data from a file that requires lower privileges to read from

My guess: To allow reading of both files, I will need to start node using an account that could read both files.

If node is running under an account that has access to both files, then a user who does not have to read any file that requires higher permissions can potentially read these files due to a lack of security in the web application code. This will be disastrous in my imaginary world of web applications.

Ideally, a node process can run with a minimal set of rights, and then temporarily escalate these rights before accessing a system resource.

Questions: Can node temporarily increase privileges? Or is there a better way?

If not, I'm considering starting two different servers (one with higher privileges and one with lower privileges), and then both of them behind a proxy server that authenticates / authorizes before sending the request.

Thanks.

+8
security
source share
2 answers

This is a really difficult case. In the end, file permissions are some kind of metadata. Instead of directly accessing files, my recommendation would be to have some layer between the files in the form of a database table or anything that could map the user type to a file, and transfer the file to the user if it exists.

This would mean that the so-called web application could not just bypass file system permissions as easily. You can even configure it so that the specified files do not have read permissions on the server, and instead are read-only between layers. All he can do is call and see if the user with the permissions granted can access the files. It also allows you to share between multiple web applications, if you choose. Also, due to the very specific nature of what happens between layers, you can provide a very limited set of calls.

Now, if a user with a lower privilege somehow gets access to a higher priority user account, they will be able to see this file, and there is no way to get around this without blocking the user account. However, this is part of the development process.

+1
source share

No, I doubt that node.js-out of the box can guarantee minimal privileges.

It can be assumed that if node.js is run as root, it can minimize its operating system rights using system calls to allow or restrict access to certain resources, but then run again as root to defeat the original target.

One of the possible solutions could be to launch three instances of node, a proxy (without special permissions) for a direct call to one or two other servers operating at different privilege levels. (Heh, as you already mentioned. I really need to read the rest of the messages before jumping into the fray!)

0
source share

More articles:


All Articles