1

I'm starting node.js on my server. I have to start the node.js HTTP server as root, because it will listen on the port 80. Once i start the node.js on port 80, if a person is able to execute some code on my server trough the application will this person have root privileges?

I'm using xubuntu.

krionz
  • 111
  • 2
  • 1
    See also: https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux – Rob W Aug 21 '18 at 21:33

2 Answers2

2

It depends on the actual server implementation.

While it looks like that node.js started as root will keep these privileges other servers (like Apache or nginx) only start as root and then give up privileges. A typical design for example is to have some master process which binds to the sockets with the necessary privileges and then forks a child which gives up all root privileges permanently before processing any data from the network. This is possible since the listen sockets are inherited from the parent process and the root permissions were only needed to bind the socket to a privileged port but not to accept connections on the established socket.

For example with nginx you will see something like the following:

$ ps -ax -o user,pid,ppid,cmd | grep nginx
root     14746     1 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 14747 14746 nginx: worker process
www-data 14748 14746 nginx: worker process

The first process shown is the master, running as root. The others are the workers started by the master running as non-privileged www-data. Only these non-privileged workers will process user input and thus in case of a compromise due to some unexpected input from the network only the non-privileged user will be compromised first. Of course, an attacker might then try to do a local privilege escalation using additional bugs in the host but that's a different issue.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

It sure does. That is why in production some people use NGINX as a proxy to node. Then you can start your node on a high number port that does not require escalated privileges.

Here is a write up on configuring NGINX and Node.JS https://medium.com/@utkarsh_verma/configure-nginx-as-a-web-server-and-reverse-proxy-for-nodejs-application-on-aws-ubuntu-16-04-server-872922e21d38

Joe M
  • 2,997
  • 1
  • 6
  • 13