Geek Answers Handbook

Node Permissions for Unix Domain Permissions for Unix

I start the nginx server and the web server with the node expression using daemontools, establishing a connection with Unix Domain Sockets. There are only a few problems:

  • The socket file remains enabled at shutdown, so I must delete it when restoring the server, otherwise I will get an EADDRINUSE error.
  • The nginx server acts as a nginx user, and the node server acts as a node user.
  • The socket file is created by Express when the server starts, and umask sets the permissions for the socket file to 755.
  • The setuidgid application sets the group to the default user group, as the node username in this case.
  • The deployment scripts for the application and the launch of the daemontools script are executed before the node server instance is launched, so there is no way to set permissions for the file, since it must be recreated at startup time.

If I chgrp and chmod g + w the socket file, everything works fine. Is there a way to set this so that the node application socket file is generated with the correct permissions for nginx so that it can write to it without compromising the independence of the security of one application or another? I would even agree to add nginx to the node user group if there was still a way to set permissions in the socket file so that it is accessible to groups.

+7
nginx file-permissions express unix-domain-sockets
source share
3 answers

I may be late.

As a complement to your own answer, there is a decision not to add the nginx user to the node group.

Create a directory for the socket file only, assign it to the user group node and www-data (or any other nginx group) and set the group bit (SGID) in this directory.

mkdir -p /var/lib/yourapp/socket chown nodeuser:nginxgroup /var/lib/yourapp/socket chmod g+rxs /var/lib/yourapp/socket

All files created inside this directory will automatically belong to the nginxgroup.

+4
source share

I managed to get it working by adding nginx to the main user group node:

 gpasswd -a nginx node

And then start the express server using the following:

 // Create the server fs.stat(listen, function(err) { if (!err) { fs.unlinkSync(sock); } http.createServer(app).listen(sock, function(){ fs.chmodSync(sock, '775'); console.log('Express server listening on ' + listen); }); });

I really don’t feel that this is the right decision, just a hack. The express was not created with the removal and configuration of perms files, and this especially makes me add the user nginx to the main group of the user node. If there was ever a compromise in the nginx account, an attacker could have access to the entire source of the application, as well as try endless attacks on the code using a socket. The best I can do is set umask to 077 for the node user and try to get 100% coverage with chmod 600 for each file and chmod 700 in each directory or set the group to a default value for the user at all.

However, I would still appreciate any ideas.

+1
source share

@Bobby's answer left me with connect() to unix:/run/static0.sock failed (13: Permission denied) in nginx. The Chmod 777 was a trick. Here is my solution [based on it]:

 var fs = require('fs'); var http = require('http'); var process = require('process'); var express = require('express') var app = express() app.get('/', function (req, res) { res.send('Hello World!') }) var sock = process.argv[2]; fs.stat(sock, function(err) { if (!err) { fs.unlinkSync(sock); } http.createServer(app).listen(sock, function(){ fs.chmodSync(sock, '777'); console.log('Express server listening on ' + sock); }); });

Run as:

 $ node server.js /run/static0.sock Express server listening on /run/static0.sock
0
source share

More articles:


All Articles