I just got convinced by some internet articles, that using setuid/setgid to switch to a lower privileged user might be important. Since I am developing a web app, I decided to go for www-data.
So I am using the userid NPM module to figure out the user and group ID of www-data, and then change to it. However, when I do that - and it doesn't matter where entirely - I get the following (in this example, the security handler was executed at the very, very bottom of the code):
2014-09-04T23:07:05.812Z - info: BIRD3 Security -> Changed to www-data:www-data (33:33)
events.js:72
throw er; // Unhandled 'error' event
^
Error: listen EACCES
at errnoException (net.js:904:11)
at Server._listen2 (net.js:1023:19)
at listen (net.js:1064:10)
at net.js:1146:9
at dns.js:72:18
at process._tickCallback (node.js:419:13)
at Function.Module.runMain (module.js:499:11)
at startup (node.js:119:16)
at node.js:906:3
As you can see, as soon as I change my privilege level, it drops the accessibility to port 80 too.
Is there a way how I can implement security but keep using port 80 without using something like this?
You don't need a third-party module to do that. process.setgid() and process.setuid() both accept either an ID or a groupname/username.
Also make sure you are dropping the privileges AFTER listening on port 80 and that you call process.setgid() before process.setuid().
Example:
var net = require('net');
var srv = net.createServer(function(s) {
});
srv.listen(24, function() {
console.log('listening');
});
process.setgid('www-data');
process.setuid('www-data');