Is it safe to use a unix pipe to redirect sensitive output data as input to another program?

Question

I want to make a Node.js development server use HTTPS by giving it access to the contents of a TLS certificate and private key file.

On the one hand, I don't like the idea of making the TLS private key file readable by anyone other than root. On the other hand, I like the idea of running the Node server as root even less.

So it occurs to me that I can avoid resorting to those methods by starting my development server manually with the following shell command:

sudo cat /path/to/private/key/file | /path/to/node/server

(In my case the server program can be configured to read STDIN and parse the key contents as necessary.)

My assumptions here are that the pipe (the | in the command above) is anonymous (in contrast to named pipes), and that unprivileged 3rd programs are unable to access the file descriptors corresponding to them (at least on Linux?). Is that correct?

Are there any other security aspects I need to be aware of? Is this a good solution, or are there better alternatives?

Answer 1

The | is anonymous. The pipe will usually not be accessible to anyone who isn't root or the owner of one of the processes. As soon as you read the standard input and close it, the cat process will exit, and the pipe will no longer exist to even be exploitable by root or the owner of the remaining process.

That said, it's usually less hassle to code your program to start as root but drop privileges before it gets to the point of actually paying attention to anything coming in from external. This is the mechanism that's used in email and web servers to let them listen to a privileged port, but not be seen as a root-level externally accessible security hole waiting to happen, for example.