The best way to prevent this would be to set up the permissions on the box appropriately.
But really, I think "multiple users on the same fs" is kind of an antiquated approach to multi-tenancy, as it's fundamentally insecure. Do any hosts even have that any more? Who doesn't just run in a little VM or zone or something? On Sat, Apr 27, 2013 at 10:47 AM, Carlos Mundi <[email protected]> wrote: > That's fair, Isaac, to a point. We all have to trust someone and it comes > down to ratios of risk/reward. I just don't like the idea of cross-user > account contamination. The real risk may be very low, but the benefits are > even smaller. If anyone is using /home/node_modules on purpose I would be > a little surprised. Just my 2 cents, and I don't expect anything to change. > But maybe this thread will encourage more ppl to read the docs. :) > > Thanks > > On Apr 27, 2013 10:30 AM, "Isaac Schlueter" <[email protected]> wrote: >> >> If she doesn't trust you, why is her code on your machine? Why don't >> you just compromise HER files directly in that case? >> >> If you don't trust your infrastructure provider, then nothing can >> protect you. If you want defense-in-depth against accidental things >> like this, then make sure that you have local copies in node_modules >> of the things you want to use. >> >> >> On Sat, Apr 27, 2013 at 9:27 AM, Carlos <[email protected]> wrote: >> > From the docs: >> > >> > For example, if the file at '/home/ry/projects/foo.js' called >> > require('bar.js'), then node would look in the following locations, in >> > this >> > order: >> > >> > /home/ry/projects/node_modules/bar.js >> > /home/ry/node_modules/bar.js >> > /home/node_modules/bar.js [color added by me] >> > /node_modules/bar.js >> > >> > Maybe I'm paranoid. Ok, I am paranoid. But is there a potential for >> > injection of untrusted code here? I mean, it's really unlikely that I >> > would >> > be running a node-based service on a machine I don't own-as-in-root. >> > But >> > suppose I have users, and one of them is using node to do whatever just >> > because node is the coolest thing ever. Should she trust me not to have >> > put >> > something evil in /home/node_modules? I mean, I could be evil. I could >> > dump the list of the top ten downloads from the npm registry and then >> > run >> > those module names through a typo predictor (This is insanely easy to >> > automate, plus you have variations of foo, node-foo and foo-node which >> > create even more open space for evil.) and seed /home/node_modules with >> > compromised versions of the real thing. The next time Karen Koder does >> > an >> > 'npm install' on a new package file she might very well end up pulling >> > compromised code. I'm not saying this is a big security risk. It's >> > not. >> > If it were, I would not be posting here. But I question whether this is >> > really good design practice and suggest that maybe pulling code from >> > other >> > user directories is more risky than useful. >> > >> > -- >> > -- >> > Job Board: http://jobs.nodejs.org/ >> > Posting guidelines: >> > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> > You received this message because you are subscribed to the Google >> > Groups "nodejs" group. >> > To post to this group, send email to [email protected] >> > To unsubscribe from this group, send email to >> > [email protected] >> > For more options, visit this group at >> > http://groups.google.com/group/nodejs?hl=en?hl=en >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "nodejs" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "nodejs" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/nodejs/5BGr5dliUIk/unsubscribe?hl=en. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
