mjhjmtu

Ok so I'm using Docker and I'm not familiar w/ Chroot jail yet.

I have Docker image w/ installed Debian / Node.js. But I want that every single Debian user can run their own Node.js application w/o root access in Docker.

Example:

1. user: jimmy
   


2. home: /home/jimmy
   


3. shell: /bin/bash
   

So jimmy now can run Node.js application because he has /bin/bash shell. But he can also modify whole system (he can do for example "rm -R /etc"). Am I right?

Then I can for example modify jimmy's shell: /usr/sbin/nologin and give him option to only start/stop Node.js instance from WEB UI... but in Node.js using "fs" module he can modify whole system. Am I right?

So now If I was right I have 2 options

1. I think I can create "chroot jail" for jimmy. So /home/jimmy will be chroot jail. He can run his Node.js application and he can not modify whole system. Node.js "fs" will be restricted only for /home/jimmy. Am I right?


2. Do not care and just init new Docker container for jimmy... This is great options but I think = new container = new system = more data [MBs]

Ok and If someone of you said first option is what I need. How then I can bind ports If jimmy will run Node.js web server with port 8080 and another user will use same port? With Docker I can handle this I guess before container start.

You seem to have some misconceptions about user logins.

With /bin/bash or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc is probably not writable by by jimmy so they should not be able to rm the entire directory.

You are correct about using /usr/sbin/nologin, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.

No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.

You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.

If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.