Menu
I'm using Sails.js 0.10.5 on Node 0.10.33 on Ubuntu Trusty. I'd like to execute the node process as a non-root user with the least possible privileges in the production environment. I'm comfortable with the various options for binding to ports below 1024 but I'm more concerned with directory permissions.
Ideally, I'd prefer the node process only have write access to its log files and nothing else. It should only have read access to the directory containing app.js and below.
At the moment I have needed to grant write access to the ./.tmp directory and also to the ./views directory due to the grunt tasks that run at startup. I'd rather perform the grunt tasks at deploy time as a different user instead of at run-time. The sails www command appeared promising but I couldn't get the desired outcome.
Can someone please point me in the right direction for running Sails.js with zero write access to its assets, views, etc?
350
lift() Lift a Sails app programmatically. This does exactly what you might be used to seeing by now when you run sails lift . It loads the app, runs its bootstrap, then starts listening for HTTP requests and WebSocket connections.
Who uses Sails. js? 80 companies reportedly use Sails. js in their tech stacks, including Tutor Platform, Redox Engine, and Vuclip.
Sails is the most popular MVC framework for Node. js, designed to emulate the familiar MVC pattern of frameworks like Ruby on Rails, but with support for the requirements of modern apps: data-driven APIs with a scalable, service-oriented architecture.
Sails. js uses Grunt as a build tool for building front-end assets. If you're building an app for the browser, you're in luck. Sails ships with Grunt — which means your entire front-end asset workflow is completely customizable, and comes with support for all of the great Grunt modules which are already out there.
Use sails www to build static assets
chmod -R 440 all files and directories, so that your user and the webserver (group) can access the files.
Use nginx/apache to host a webserver on port 80/443 and proxy requests to sails (running on its own port or over a unix socket).
Run sails using PM2 to keep it running and have it manage/collect logs.
Sails will lift, but will be unable to write its .tmp directory, which shouldn't even be necessary since all your static files will be routed to the www directory through nginx/apache.
139
The simplest solution to me seems to be to separate the grunt tasks that need the elevated privileges out into a separate file that you can call with a different user on deploy. Then sails won't need to run anything and can be read only.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
