As you've already mentioned opening up these types of operations to a web server is a big security risk. That said I'd look into using sudoers to restrict the commands that require elevated privileges to be run and be sure to use aggressive sanitizing of any user input.
-- Daniel R. <[email protected]> [http://danielr.neophi.com/] On Sat, Apr 11, 2015 at 3:59 PM, Pi HomeServer <[email protected]> wrote: > Hello, > > I want to build a web interface over a NodeJS server. One of the purpose > of the interface is to be able to control the Linux PC where the server is > running. For example : update (via apt-get for example), reboot, install > packages, etc. > I think about 2 ways to do that : > > - Running the server as root > - Executing commands via a shell executed with the uid/gid of root > > To be honest both sounds for me as unsecured but i don't see how to go > over that. > > Users of the web interface will have to log in (i use PassportJS with a > SQLite database) before getting the access to the part of the site where > you can execute commands that require root privilege. > I also work to add a SSL support on the server. > > Any advices to implement this function without opening all doors ? > > Thanks ! > Chris > > -- > Job board: http://jobs.nodejs.org/ > New group rules: > https://gist.github.com/othiym23/9886289#file-moderation-policy-md > Old group rules: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nodejs/7fd7ff53-d362-4ea2-8728-1d9af031e809%40googlegroups.com > <https://groups.google.com/d/msgid/nodejs/7fd7ff53-d362-4ea2-8728-1d9af031e809%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CAETDeSBmhoaa%3Dwo_h%2BRY8EgCALO2X%3D_%2BFxQUdpOyLMd4drLkdw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
