Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

In node.js how would I follow the Principle of Least Privilege?

Imagine a web application that performs two main functions:

  1. Serves data from a file that requires higher privileges to read from
  2. Serves data from a file that requires lower privileges to read from

My Assumption: To allow both files to be read from, I would need to run node using an account that could read both files.

If node is running under an account that can access both files, then a user who should not be able to read any file that requires higher privileges could potentially read those files due to a security flaw in the web application's code. This would lead to disastrous consequences in my imaginary web application world.

Ideally the node process could run using a minimal set of rights and then temporarily escalate those rights before accessing a system resource.

Questions: Can node temporarily escalate privileges? Or is there a better way?

If not, I'm considering running two different servers (one with higher privileges and one with lower) and then putting them both behind a proxy server that authenticates/authorizes before forwarding the request.

Thanks.

like image 372
Tim Stewart Avatar asked May 15 '11 18:05

Tim Stewart


People also ask

How does the principle of least privilege work?

How does the principle of least privilege (PoLP) work? The principle of least privilege works by limiting the accessible data, resources, applications and application functions to only that which a user or entity requires to execute their specific task or workflow.

Which is the best example of the application of the principle of least privilege?

The principle of least privilege stems from the idea that users should only have access to the resources that they need so they can adequately perform the duties that they are required to do. For example, an employee who works in sales should not have access to financial records.

What is the principle of least privilege and why is it important?

The least privilege principle forces network managers to keep comprehensive data records to understand who has access to what at any given time. Auditing, classifying, and organizing data is required to understand all the information held on a network and more importantly, who can access it.


1 Answers

This is a tricky case indeed. In the end file permissions are a sort of meta-data. Instead of directly accessing the files, my recommendation would be to have some layer between the files in the form of a database table, or anything that could map the type of user to the file, and stream the file to the user if it exists.

That would mean that the so called web application couldn't just circumvent the file system permissions as easy. You could even set it up so that said files did not have server readable permissions, and instead were only readable by the in between layer. All it could do is make a call, and see if the user with given permissions could access the files. This lets you also share between multiple web applications should you choose. Also because of the very specific nature of what the in between layer does, you can enforce a very restricted set of calls.

Now, if a lower privileged user somehow gains access to a higher privileged user's account, they'll be able to see the file, and there's no way to really get around that short of locking the user's account. However that's part of the development process.

like image 119
onteria_ Avatar answered Oct 13 '22 01:10

onteria_