All true, Isaac. I cannot dispute your pragmatism. I come from the "if it isn't an asset, it's a liability" school, which is a great way to design but an agonized way to live. :) Thanks for the discussion. On Apr 27, 2013 11:33 AM, "Isaac Schlueter" <[email protected]> wrote:
> The best way to prevent this would be to set up the permissions on the > box appropriately. > > But really, I think "multiple users on the same fs" is kind of an > antiquated approach to multi-tenancy, as it's fundamentally insecure. > Do any hosts even have that any more? Who doesn't just run in a > little VM or zone or something? > > On Sat, Apr 27, 2013 at 10:47 AM, Carlos Mundi <[email protected]> wrote: > > That's fair, Isaac, to a point. We all have to trust someone and it > comes > > down to ratios of risk/reward. I just don't like the idea of cross-user > > account contamination. The real risk may be very low, but the benefits > are > > even smaller. If anyone is using /home/node_modules on purpose I would > be > > a little surprised. Just my 2 cents, and I don't expect anything to > change. > > But maybe this thread will encourage more ppl to read the docs. :) > > > > Thanks > > > > On Apr 27, 2013 10:30 AM, "Isaac Schlueter" <[email protected]> wrote: > >> > >> If she doesn't trust you, why is her code on your machine? Why don't > >> you just compromise HER files directly in that case? > >> > >> If you don't trust your infrastructure provider, then nothing can > >> protect you. If you want defense-in-depth against accidental things > >> like this, then make sure that you have local copies in node_modules > >> of the things you want to use. > >> > >> > >> On Sat, Apr 27, 2013 at 9:27 AM, Carlos <[email protected]> wrote: > >> > From the docs: > >> > > >> > For example, if the file at '/home/ry/projects/foo.js' called > >> > require('bar.js'), then node would look in the following locations, in > >> > this > >> > order: > >> > > >> > /home/ry/projects/node_modules/bar.js > >> > /home/ry/node_modules/bar.js > >> > /home/node_modules/bar.js [color added by me] > >> > /node_modules/bar.js > >> > > >> > Maybe I'm paranoid. Ok, I am paranoid. But is there a potential for > >> > injection of untrusted code here? I mean, it's really unlikely that I > >> > would > >> > be running a node-based service on a machine I don't own-as-in-root. > >> > But > >> > suppose I have users, and one of them is using node to do whatever > just > >> > because node is the coolest thing ever. Should she trust me not to > have > >> > put > >> > something evil in /home/node_modules? I mean, I could be evil. I > could > >> > dump the list of the top ten downloads from the npm registry and then > >> > run > >> > those module names through a typo predictor (This is insanely easy to > >> > automate, plus you have variations of foo, node-foo and foo-node which > >> > create even more open space for evil.) and seed /home/node_modules > with > >> > compromised versions of the real thing. The next time Karen Koder > does > >> > an > >> > 'npm install' on a new package file she might very well end up pulling > >> > compromised code. I'm not saying this is a big security risk. It's > >> > not. > >> > If it were, I would not be posting here. But I question whether this > is > >> > really good design practice and suggest that maybe pulling code from > >> > other > >> > user directories is more risky than useful. > >> > > >> > -- > >> > -- > >> > Job Board: http://jobs.nodejs.org/ > >> > Posting guidelines: > >> > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > >> > You received this message because you are subscribed to the Google > >> > Groups "nodejs" group. > >> > To post to this group, send email to [email protected] > >> > To unsubscribe from this group, send email to > >> > [email protected] > >> > For more options, visit this group at > >> > http://groups.google.com/group/nodejs?hl=en?hl=en > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "nodejs" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > >> > >> -- > >> -- > >> Job Board: http://jobs.nodejs.org/ > >> Posting guidelines: > >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > >> You received this message because you are subscribed to the Google > >> Groups "nodejs" group. > >> To post to this group, send email to [email protected] > >> To unsubscribe from this group, send email to > >> [email protected] > >> For more options, visit this group at > >> http://groups.google.com/group/nodejs?hl=en?hl=en > >> > >> --- > >> You received this message because you are subscribed to a topic in the > >> Google Groups "nodejs" group. > >> To unsubscribe from this topic, visit > >> https://groups.google.com/d/topic/nodejs/5BGr5dliUIk/unsubscribe?hl=en. > >> To unsubscribe from this group and all its topics, send an email to > >> [email protected]. > >> > >> For more options, visit https://groups.google.com/groups/opt_out. > >> > >> > > -- > > -- > > Job Board: http://jobs.nodejs.org/ > > Posting guidelines: > > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > > You received this message because you are subscribed to the Google > > Groups "nodejs" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected] > > For more options, visit this group at > > http://groups.google.com/group/nodejs?hl=en?hl=en > > > > --- > > You received this message because you are subscribed to the Google Groups > > "nodejs" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to a topic in the > Google Groups "nodejs" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/nodejs/5BGr5dliUIk/unsubscribe?hl=en. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
