Search code examples
linuxnode.jsubuntudropbox

What is the lowest privileged user that node.js can run as on ubuntu?

I don't know very much about different privilege level. What is the minimum user level required to run node.js, if all I need to do is serve static pages, in a directory.

Likewise, what is the minimum user level required for the dropbox daemon to run in node.js ?

EDIT: For example, in this guide: https://www.linode.com/docs/security/securing-your-server/

One creates a new user to administer the system using this command:

usermod -a -G sudo exampleuser

How does one create a low level, less privileged user that Dropbox or node.js can run as ?

EDIT: I'm not sure which folders to set what file permissions. I wan't Dropbox to be able to run and modify the contents of its folder. I wan't node.js to also have permission to read and execute files in that folder.

Solution

  • A lower level user would not be part of the sudo group. In general you need read access to any files, but not necessarily write.

    Typically it is best practice to create a generic user with its own group in isolation.

    Then you would setup a directory tree for just that user with its files.

    You can either make the files group readable for the special group or world readable. The directories will also need execute permissions.

    For the situation you are describing, I would run dropbox as a separate user as well and then make the dropbox folder either group or world readable. The dropbox user should also not be part of the sudo group.

    Let's say you have 3 users:

    • Your primary login user called "user"
    • node user
    • dropbox user

    Each user is in its own group with the same name. I'll assume your dropbox folder is named ~/Dropbox.

    chown -R dropbox:node ~/Dropbox
find ~/Dropbox -type d | xargs chmod 750 
find ~/Dropbox -type f | xargs chmod 640
mkdir ~/node
# copy files in here
chown -R node:node ~/node
find ~/node -type d | xargs chmod 750
find ~/node -type f | xargs chmod 640

    Note that this turns off the executable bit on all binaries, so you may have to manually fix those. Also note that chmod and chown both require root permissions to modify other user files, so you'll probably need to add some sudo to those commands, but it was already getting long.