Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Run sails.js with least privileges in Production

I'm using Sails.js 0.10.5 on Node 0.10.33 on Ubuntu Trusty. I'd like to execute the node process as a non-root user with the least possible privileges in the production environment. I'm comfortable with the various options for binding to ports below 1024 but I'm more concerned with directory permissions.

Ideally, I'd prefer the node process only have write access to its log files and nothing else. It should only have read access to the directory containing app.js and below.

At the moment I have needed to grant write access to the ./.tmp directory and also to the ./views directory due to the grunt tasks that run at startup. I'd rather perform the grunt tasks at deploy time as a different user instead of at run-time. The sails www command appeared promising but I couldn't get the desired outcome.

Can someone please point me in the right direction for running Sails.js with zero write access to its assets, views, etc?

like image 350
Jason Stangroome Avatar asked Nov 17 '14 10:11

Jason Stangroome


People also ask

What sails lift?

lift() Lift a Sails app programmatically. This does exactly what you might be used to seeing by now when you run sails lift . It loads the app, runs its bootstrap, then starts listening for HTTP requests and WebSocket connections.

Who is using sails JS?

Who uses Sails. js? 80 companies reportedly use Sails. js in their tech stacks, including Tutor Platform, Redox Engine, and Vuclip.

Is sails JS framework?

Sails is the most popular MVC framework for Node. js, designed to emulate the familiar MVC pattern of frameworks like Ruby on Rails, but with support for the requirements of modern apps: data-driven APIs with a scalable, service-oriented architecture.

How does sails JS work?

Sails. js uses Grunt as a build tool for building front-end assets. If you're building an app for the browser, you're in luck. Sails ships with Grunt — which means your entire front-end asset workflow is completely customizable, and comes with support for all of the great Grunt modules which are already out there.


2 Answers

Use sails www to build static assets

chmod -R 440 all files and directories, so that your user and the webserver (group) can access the files.

Use nginx/apache to host a webserver on port 80/443 and proxy requests to sails (running on its own port or over a unix socket).

Run sails using PM2 to keep it running and have it manage/collect logs.

Sails will lift, but will be unable to write its .tmp directory, which shouldn't even be necessary since all your static files will be routed to the www directory through nginx/apache.

like image 139
user3590543 Avatar answered Sep 20 '22 00:09

user3590543


The simplest solution to me seems to be to separate the grunt tasks that need the elevated privileges out into a separate file that you can call with a different user on deploy. Then sails won't need to run anything and can be read only.

like image 26
Glenn Slaven Avatar answered Sep 21 '22 00:09

Glenn Slaven