Ubuntu – Node + PM2 – How to securely read SSL private key with non-root user

file-permissionsnode.jsprivate-keysslUbuntu

I'm looking for a way to run node via PM2 whilst reading an SSL private-key that is placed in a secure directory.

Details:
Bitnami LEMP stack with Node

permissions for /etc/ssl/private:

drwx------ 2 root root  4096 private

permissions for key file:

-rw-r----- 1 root root 1704 my_key_file.key

With the above permissions, both nginx and php run fine with no problems whatsoever (I'm guessing this is because nginx's master process runs as root?), and so does running node as sudo.

However I'd like to run this node code as a non-root user, since this reduces the security risk should the node server be compromised.

What are my options here ? The way I understand it it's something like these options:

Loosen permissions on private-key folder/file (Bad, involves changes to /etc/ssl/private!)
Copy private_key and make it readable just by a safe-user that runs pm2 (Bit messy, involves keeping track of copied files for updates etc)
Run PM2 master as root, which then spawns a process/instance as a non-root user (Much like how nginx works, not sure if this is even possible)
Run PM2 as root, change the code to drop its own privilege level after doing some things as root (as outlined here – looks slightly messy and also might be a security risk)

Any kind of help is greatly appreciated!
Thanks

Best Answer

You could create a group called ssl-cert and add pm2user to that group.

sudo groupadd ssl-cert
sudo usermod -a -G ssl-cert pm2user

Then change the group of the directory /etc/ssl/private and its contents to be ssl-cert. You will also need to add group execute permissions for the private directory.

sudo chown -R root:ssl-cert /etc/ssl/private/
sudo chmod 650 /etc/ssl/private/
sudo chmod 640 /etc/ssl/private/my_key_file.key

That will allow access for PM2 to read the file. Is it more or less secure? That may depend on who has access to the server and how widely the ssl-cert group is shared. Keep the usage of the group to the absolute minimum: non-login accounts only. You will probably need to restart the Nginx and PM2 services so they reconnect with the new permissions.

For Git Bash

If you are running msysgit (I am assuming you are) and are looking to run Git Bash (I recommend it over TortoiseGit, but I lean to the CLI more than GUI now), you need to figure out what your home directory is for Git Bash by starting it then type pwd (On Windows 7, it will be something like C:\Users\phsr I think). While you're in Git Bash, you should mkdir .ssh.

After you have the home directory, and a .ssh folder under that, you want to open PuTTYgen and open the key (.ppk file) you have previously created. Once your key is open, you want to select Conversions -> Export OpenSSH key and save it to HOME\.ssh\id_rsa. After you have the key at that location, Git Bash will recognize the key and use it.

Note: Comments indicate that this doesn't work in all cases. You may need to copy the OpenSSH key to Program Files\Git\.ssh\id_rsa (or Program Files (x86)\Git\.ssh\id_rsa).

For TortoiseGit

When using TortoiseGit, you need to set the SSH key via pacey's directions. You need to do that for every repository you are using TortoiseGit with.

SSL certificate key permission – Tomcat APR

The ssl-cert group has traverse permissions on private, and everyone has read permissions on the key itself - so, the user that Tomcat is running as is likely not a member of the ssl-cert group.

Add the user to the group to give it read-only access to the cert:

usermod -a -G ssl-cert tomcatusername

And, although you've got the directory permissions locked down, which should cover you, you may want to change the permissions on the certificate itself to match (some services check for world-readable on private keys):

chown root:ssl-cert /etc/ssl/private/mysite.key
chmod 640 /etc/ssl/private/mysite.key

Best Answer

Related Solutions

Windows – How to tell Git for Windows where to find the private RSA key

For Git Bash

For TortoiseGit

SSL certificate key permission – Tomcat APR

Related Topic