4

I'm looking for a way to run node via PM2 whilst reading an SSL private-key that is placed in a secure directory.

Details: Bitnami LEMP stack with Node

permissions for /etc/ssl/private:

drwx------ 2 root root  4096 private

permissions for key file:

-rw-r----- 1 root root 1704 my_key_file.key

With the above permissions, both nginx and php run fine with no problems whatsoever (I'm guessing this is because nginx's master process runs as root?), and so does running node as sudo.

However I'd like to run this node code as a non-root user, since this reduces the security risk should the node server be compromised.

What are my options here ? The way I understand it it's something like these options:

  • Loosen permissions on private-key folder/file (Bad, involves changes to /etc/ssl/private!)
  • Copy private_key and make it readable just by a safe-user that runs pm2 (Bit messy, involves keeping track of copied files for updates etc)
  • Run PM2 master as root, which then spawns a process/instance as a non-root user (Much like how nginx works, not sure if this is even possible)
  • Run PM2 as root, change the code to drop its own privilege level after doing some things as root (as outlined here - looks slightly messy and also might be a security risk)

Any kind of help is greatly appreciated! Thanks

jolian
  • 107
  • 1
  • 6
  • 1
    nginx reads these files and binds to privileged ports as root, and then _drops its privileges_, changing to the nginx user for the rest of the time that it is running. There's no real security issue here. – Michael Hampton Feb 20 '15 at 08:02
  • @MichaelHampton, yes I realise that, my question is rather about the _Node_ process running through PM2 - How should one securely run _Node_ through _PM2_ **and** read a private-key for SSL encryption? – jolian Feb 23 '15 at 10:52

1 Answers1

2

You could create a group called ssl-cert and add pm2user to that group. 

sudo groupadd ssl-cert
sudo usermod -a -G ssl-cert pm2user

Then change the group of the directory /etc/ssl/private and its contents to be ssl-cert. You will also need to add group execute permissions for the private directory.

sudo chown -R root:ssl-cert /etc/ssl/private/
sudo chmod 650 /etc/ssl/private/
sudo chmod 640 /etc/ssl/private/my_key_file.key

That will allow access for PM2 to read the file. Is it more or less secure? That may depend on who has access to the server and how widely the ssl-cert group is shared. Keep the usage of the group to the absolute minimum: non-login accounts only. You will probably need to restart the Nginx and PM2 services so they reconnect with the new permissions.

bruceskyaus
  • 121
  • 4