I'm looking for a way to run node via PM2 whilst reading an SSL private-key that is placed in a secure directory.
Details:
Bitnami LEMP stack with Node
permissions for /etc/ssl/private:
drwx------ 2 root root 4096 private
permissions for key file:
-rw-r----- 1 root root 1704 my_key_file.key
With the above permissions, both nginx and php run fine with no problems whatsoever (I'm guessing this is because nginx's master process runs as root?), and so does running node as sudo.
However I'd like to run this node code as a non-root user, since this reduces the security risk should the node server be compromised.
What are my options here ? The way I understand it it's something like these options:
- Loosen permissions on private-key folder/file (Bad, involves changes to /etc/ssl/private!)
- Copy private_key and make it readable just by a safe-user that runs pm2 (Bit messy, involves keeping track of copied files for updates etc)
- Run PM2 master as root, which then spawns a process/instance as a non-root user (Much like how nginx works, not sure if this is even possible)
- Run PM2 as root, change the code to drop its own privilege level after doing some things as root (as outlined here – looks slightly messy and also might be a security risk)
Any kind of help is greatly appreciated!
Thanks
Best Answer
You could create a group called
ssl-cert
and addpm2user
to that group.Then change the group of the directory
/etc/ssl/private
and its contents to bessl-cert
. You will also need to add group execute permissions for theprivate
directory.That will allow access for PM2 to read the file. Is it more or less secure? That may depend on who has access to the server and how widely the
ssl-cert
group is shared. Keep the usage of the group to the absolute minimum: non-login accounts only. You will probably need to restart the Nginx and PM2 services so they reconnect with the new permissions.