Run Node.js apps on low ports without running as root

Dec 17 2012

On Linux (and UNIX), to open a port with a number less than or equal to 1024, traditionally a program must run as the root user. This impacts web applications, which use ort 80 (HTTP) and port 443 (HTTPS) to do business. Many programs (Apache being a great example) use this by running a master process as the root user, and farming work off to helper processes that run with lower privileges. But Node.js is designed to work on a single-process model. So how do you run Node.js apps on low ports without running the script as root?

I looked at a number of solutions, and one suggested by my company's security team seems to be the best solution: For operating systems that support capabilities setting (like Ubuntu 12.04 and later), you can configure the operating system to allow non-privileged apps to listen on low ports. Here I show how to do it, and then briefly explain what is going on.

How to do it

Here's how to do it in three easy steps:

Install the capabilities tools
Explicitly grant Node.js the capability to listen on low ports
Run your app as a non-privileged user

These steps look like this (running as a non-privileged user with sudo access):

$ sudo apt-get install libcap2-bin
$ sudo setcap cap_net_bind_service=+ep /usr/bin/node
$ node foo.js

Note that sudo access is only required for granting the capability. You can run the server with an even lower-privileged user.

What's happening?

How does this work? In a nutshell, recent versions of Ubuntu and other Linux distributions provide access to the kernel's capabilities subsystem, which allows system administrators to grant finer grained permissions to do things that once required root access.

What we are doing above is installing the appropriate user-land tools to talk to this system, and then requesting that /usr/bin/node be allowed to bind services on low ports. While this configuration is not entirely risk free, from a security standpoint, it certainly is superior to running Node as a privileged user.

To learn more, man capabilities (or read the online man page).

Books

Go In Practice

A cookbook-style guide for writing production Go code.

Drupal 7 Multi-Site Configuration

Configure Drupal to run more than one site.

Drupal 7 Module Development

Create Drupal 7 modules and themes.

Mastering OpenLDAP

Install, configure, and administer an OpenLDAP server.

Drupal 6 JavaScript and jQuery

Create Drupal 7 modules and themes.

Drupal 6 Module Development

Create Drupal 6 modules and themes.

Managing and Customizing OpenCms 6 Websites

Install, configure and use the OpenCms content management system.

Building Websites with OpenCms 5

Write custom Java and JSP for OpenCms.