Being new to Node.js, I have this question..
I see it mentioned in a few places that node should not be run as root, such as this. I am just using node to set up a simple web service and executing a python script which requires root access. I just don't understand where the danger lies, as in what could the hacker do.
My node.js file is something like this:-
var http = require('http');
var express = require('express');
var app = express();
app.use(express['static'](__dirname));
app.get('/alert', function(req, res) {
var addr = req.query.addr;
//~ need to check if it is a valid address??
console.log('Received addr -' + addr);
var spawn = require('child_process').spawn;
var process = spawn('python', ['custom-text-led/custom-text.py', addr]);
process.stdout.on('data', function(data) {
console.log('Data:' + data);
});
})
app.get('*', function(req, res) {
res.status(404).send('Unrecognized API call');
});
app.use(function(err, req, res, next) {
if (req.xhr) {
res.status(500).send('Opps, something went wrong');
} else {
next(err);
}
});
app.listen(3000);
console.log('App server running at port 3000');
Being new to Node.js, I have this question..
I see it mentioned in a few places that node should not be run as root, such as this. I am just using node to set up a simple web service and executing a python script which requires root access. I just don't understand where the danger lies, as in what could the hacker do.
My node.js file is something like this:-
var http = require('http');
var express = require('express');
var app = express();
app.use(express['static'](__dirname));
app.get('/alert', function(req, res) {
var addr = req.query.addr;
//~ need to check if it is a valid address??
console.log('Received addr -' + addr);
var spawn = require('child_process').spawn;
var process = spawn('python', ['custom-text-led/custom-text.py', addr]);
process.stdout.on('data', function(data) {
console.log('Data:' + data);
});
})
app.get('*', function(req, res) {
res.status(404).send('Unrecognized API call');
});
app.use(function(err, req, res, next) {
if (req.xhr) {
res.status(500).send('Opps, something went wrong');
} else {
next(err);
}
});
app.listen(3000);
console.log('App server running at port 3000');
- 2 If you don't know what a hacker could do, that does not mean a hacker couldn't do anything. It only means that you are not a hacker. That is the whole point of being a hacker: seeing what could be done when everyone thinks nothing could be done. – zvone Commented Sep 30, 2016 at 6:58
4 Answers
Reset to default 2The hacker could do anything if there is any security issues. You could give the user witch runs the web server the permission to do the task your task is intending to do.
In general try to avoid root whenever you can (put the tinfoil hat on).
According to this post from superuser of StackExchange platform, you can pipe the password to other sudo mands, like this:
echo <password> | sudo -S <mand>
and according to this StackOverflow post, you can pipe mands in spawn like this:
child.spawn('sh', args)
var args = ['-c', <the entire mand you want to run as a string>];
After some hours struggling I found the solution. To wrap it all up, your answer would be something like:
import { spawn } from "child_process";
const process = spawn("sh", ["-c", "sudo -K << <password> <the entire mand you want to run with sudo>"]);
I hope it would help you and others like me.
Building on MajidJafari's work (which unfortunately did not work for me as he typed it) I was able to e up with something that works, albeit very convoluted.
const process = spawn("sh", ["-c", "echo <password used for sudo user> | sudo -S bash -c '<enter mand or multiple mands separated by && here>'"]);
All the mands encased within the set single parenthesis ' ' will be run as sudo.
On node v16.18.0 this option works
const { spawn } = require("child_process");
const options = {
shell: true
};
const user = 'root';
const password = '12345';
const c = 'ls /root';
spawn("sudo", [`-S <<< '${password}'`, '-u', user, 'bash', '-c', `'${c}'`], options);