On Wed, Aug 1, 2012 at 12:56 AM, MikeS <m...@emotive.com> wrote: > I'm using node.js as part of a cloud-based, multi-tenanted server > environment, with each node process specific to one of the tenants. (Their > most common job is to communicate between some external system and the > shared server.) For security reasons, it's a requirement to keep the node > processes from interfering with each other, since, in principle, they could > be running third-party-written code. After some analysis, we came up with > the following specific requirements: > > Each node processes will be given a file system directory, which will > > Contain the JavaScript it runs > > Be usable as a scratchpad, e.g. to buffer large datasets read from an > external system > > Other than that, the process will have no access to any other part of the > file system > > Each node process creates a socket that it uses to receive requests from the > server. To prevent different node processes from communicating with each > other directly, the ability of node processes to connect to sockets will be > restricted. Access to Unix Domain Sockets will be turned off completely. > On general principles, Node processes will not be allowed to > > kill other processes > change their default directory > change their effective user or group id > > Node processes will not be allowed to create subprocesses (which might > overcome the restrictions above). > Node processes will not be allowed to load native-code extensions (which > might overcome the restrictions above.) > > The only third-party code running in the system will be the node.js > JavaScript. In particular, the server that starts up the node.js processes > is trusted, so this can be implemented by starting node with command-line > flags that force the behavior described above. I've defined three: > > --restricted-outgoing-addresses address-list takes a comma-separated list of > IP addresses to which access will be restricted. This would most commonly > be all the IP addresses for the current machine. > --allowed-outgoing-ports port-list takes a comma-separated list of ports to > which access is allowed even on restricted addresses. This would represent > local services to which the node service is granted access. > --safe-mode implements the other restrictions shown above (file system, > process restrictions, etc.) > > I've forked 0.8.3 and implemented this at > https://github.com/mikeatemotive/node.js-safe-mode . I'm quite interested > in any comments, and in particular on whether there's interest in bringing > this functionality into node.
No. I appreciate the effort but it sounds too much like PHP's safe mode and everyone knows how broken that is. Containerization should be done at the OS level, not the application level.
