Thank you for the reply. Why security implications of running node.js are not related to node.js, is hard to understand? (can you give reason)?
While I agree for other reasons maybe to your suggestions (i.e. I can see reasons to not use Windows (which is really unrelated to node.js) I am telling you, that it would be nice to have the chance to savely run untrusted code. For me that would be related a big deal to node.js because to savely or "relatively more savely" run untrusted code would require to be able to reduce the priveleges and access-rights and permissions of what the untrusted code can do. For example some code should not be able to touch "fs" kind of funcitons. Such an sandboxing would have to happen inside node.js (that is why I ask in this list). Also there have been efforts (maybe they are good) https://github.com/gf3/sandbox (I think it generates a way to reduce the priviledges of untrusted code, by spawing a child process which lacks access to global...). I am not sure how it works in detail (maybe somebody can tell). This could help with cases as suggested in the examples.js section. There have been efforts https://github.com/gf3/sandbox/blob/master/example/example.js Some remarks still to the "Do not use windows". If meant Microsoft stuff (window is in Javascript context somewhat a ambigious term) then I can only suggest that Linux would not be much safer. Really linux distributions are overrated in terms of savefty. Just by running one would not suddenly reduce risks of running untrursted code in node.js. Anyway with appArmor it can be done to limit node.js access. If there is a profile that would help everybody that runs node.js in Ubuntu systems. Which like it or not is a common linux distribution. Thanks Alex On 12/17/2013 11:56 AM, Alex Kocharin wrote: > > It has nothing to do with node.js. > > And actually it is very simple: > > 1. Do not run untrusted code. > 2. Do not use windows. > > If you have to run something you don't trust, LXC is suggested. But > again, it has nothing to do with node.js in particular, and it's true > for almost all programs out there. > > > 17.12.2013, 14:47, "ofencito" <[email protected]>: >> Dear all, >> I really like node.js. Great to have JS also in the command line. >> Only worry I have is security. >> >> there is for example this https://github.com/hacksparrow/virus >> >> Let's us be honest. Once installed node.js we like to extend its >> utitlity, installing packages. >> Not all we do a thorough code autid before. Consequently I am worried >> what would happen >> if the "untrusted" code I run would do harm to my system. >> This is already a concern in Browsers (and greatly motivates people >> to use NoScript etc.) >> >> How have you guys managed to protect your system from node.js? >> basically it should be somewhat protected (if run in linux) since you >> most likely run it your >> user account. Better even you could run it as an unpriveliged user >> (suggestion 1). >> Still I see much potential to provoke havoc and chaos.... >> with all its powers... node.js resamples an open door to the system >> (which it really actually >> should be, with exception to untrusted code). >> >> For those who know it. Do you have Apparmor profile that restricts >> the stuff that node.js >> can do on your PC? if so can you share? >> Do you run node.js in a virtual container/machine? >> How to you protect your stuff in node.js form other stuff in node.js? >> >> Thanks for your insights >> >> >> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> <mailto:[email protected]> >> To unsubscribe from this group, send email to >> [email protected] >> <mailto:[email protected]> >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] >> <mailto:[email protected]>. >> For more options, visit https://groups.google.com/groups/opt_out. > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to a topic in the > Google Groups "nodejs" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/nodejs/Xp0CJxuJr2A/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
