1

I have set up a http server on node.js which listens to port 80. However, ports less than 1024 traditionally require elevated permissions. I therefore had to execute my server using sudo:

 sudo nodejs httpserver.js

People say running a server as root is a big no no here and I should use other ports above 1024 and redirect them to 80 instead so that I don't have to be root to execute the script. But why? what are security vulnerabilities, what are the concerns?

Community
  • 1
  • 1
C graphics
  • 7,308
  • 19
  • 83
  • 134

1 Answers1

5

If there's a vulnerability in your httpserver.js script such that an attacker can get the node.js process to run arbitrary code, then that arbitrary code will be running as root. And you have to assume that such vulnerabilities do exist.

Chris Tavares
  • 29,165
  • 4
  • 46
  • 63
  • Plus, you don't have to run as root, there's plenty of options. `setuid`, using a `nginx` proxy, whatever. Running **anything** accessible from the outside as root is just moronic... – TC1 Oct 22 '13 at 18:28