I'm using node.js as part of a cloud-based, multi-tenanted server
environment, with each node process specific to one of the tenants. (Their
most common job is to communicate between some external system and the
shared server.) For security reasons, it's a requirement to keep the node
processes from interfering with each other, since, in principle, they could
be running third-party-written code. After some analysis, we came up with
the following specific requirements:
1. Each node processes will be given a file system directory, which will
- Contain the JavaScript it runs
- Be usable as a scratchpad, e.g. to buffer large datasets read from
an external system
- Other than that, the process will have no access to any other
part of the file system
2. Each node process creates a socket that it uses to receive requests
from the server. To prevent different node processes
from communicating with each other directly, the ability of node processes
to connect to sockets will be restricted. Access to Unix Domain Sockets
will be turned off completely.
3. On general principles, Node processes will not be allowed to
- kill other processes
- change their default directory
- change their effective user or group id
4. Node processes will not be allowed to create subprocesses (which
might overcome the restrictions above).
5. Node processes will not be allowed to load native-code
extensions (which might overcome the restrictions above.)
The only third-party code running in the system will be the node.js
JavaScript. In particular, the server that starts up the node.js processes
is trusted, so this can be implemented by starting node with command-line
flags that force the behavior described above. I've defined three:
- *--restricted-outgoing-addresses* *address-list* takes a
comma-separated list of IP addresses to which access will be restricted.
This would most commonly be all the IP addresses for the current machine.
- *--allowed-outgoing-ports **port-list* takes a comma-separated list of
ports to which access is allowed even on restricted addresses. This would
represent local services to which the node service is granted access.
- *--safe-mode *implements the other restrictions shown above (file
system, process restrictions, etc.)
I've forked 0.8.3 and implemented this
at https://github.com/mikeatemotive/node.js-safe-mode . I'm
quite interested in any comments, and in particular on whether there's
interest in bringing this functionality into node.
