Docker | Chroot jail questions | Node.js kind of hosting
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Ok so I'm using Docker and I'm not familiar w/ Chroot jail yet.
I have Docker image w/ installed Debian / Node.js. But I want that every single Debian user can run their own Node.js application w/o root access in Docker.
Example:
- user: jimmy
- home: /home/jimmy
- shell: /bin/bash
So jimmy now can run Node.js application because he has /bin/bash shell. But he can also modify whole system (he can do for example "rm -R /etc"). Am I right?
Then I can for example modify jimmy's shell: /usr/sbin/nologin and give him option to only start/stop Node.js instance from WEB UI... but in Node.js using "fs" module he can modify whole system. Am I right?
So now If I was right I have 2 options
- I think I can create "chroot jail" for jimmy. So /home/jimmy will be chroot jail. He can run his Node.js application and he can not modify whole system. Node.js "fs" will be restricted only for /home/jimmy. Am I right?
- Do not care and just init new Docker container for jimmy... This is great options but I think = new container = new system = more data [MBs]
Ok and If someone of you said first option is what I need. How then I can bind ports If jimmy will run Node.js web server with port 8080 and another user will use same port? With Docker I can handle this I guess before container start.
debian docker chroot
add a comment |Â
up vote
0
down vote
favorite
Ok so I'm using Docker and I'm not familiar w/ Chroot jail yet.
I have Docker image w/ installed Debian / Node.js. But I want that every single Debian user can run their own Node.js application w/o root access in Docker.
Example:
- user: jimmy
- home: /home/jimmy
- shell: /bin/bash
So jimmy now can run Node.js application because he has /bin/bash shell. But he can also modify whole system (he can do for example "rm -R /etc"). Am I right?
Then I can for example modify jimmy's shell: /usr/sbin/nologin and give him option to only start/stop Node.js instance from WEB UI... but in Node.js using "fs" module he can modify whole system. Am I right?
So now If I was right I have 2 options
- I think I can create "chroot jail" for jimmy. So /home/jimmy will be chroot jail. He can run his Node.js application and he can not modify whole system. Node.js "fs" will be restricted only for /home/jimmy. Am I right?
- Do not care and just init new Docker container for jimmy... This is great options but I think = new container = new system = more data [MBs]
Ok and If someone of you said first option is what I need. How then I can bind ports If jimmy will run Node.js web server with port 8080 and another user will use same port? With Docker I can handle this I guess before container start.
debian docker chroot
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Ok so I'm using Docker and I'm not familiar w/ Chroot jail yet.
I have Docker image w/ installed Debian / Node.js. But I want that every single Debian user can run their own Node.js application w/o root access in Docker.
Example:
- user: jimmy
- home: /home/jimmy
- shell: /bin/bash
So jimmy now can run Node.js application because he has /bin/bash shell. But he can also modify whole system (he can do for example "rm -R /etc"). Am I right?
Then I can for example modify jimmy's shell: /usr/sbin/nologin and give him option to only start/stop Node.js instance from WEB UI... but in Node.js using "fs" module he can modify whole system. Am I right?
So now If I was right I have 2 options
- I think I can create "chroot jail" for jimmy. So /home/jimmy will be chroot jail. He can run his Node.js application and he can not modify whole system. Node.js "fs" will be restricted only for /home/jimmy. Am I right?
- Do not care and just init new Docker container for jimmy... This is great options but I think = new container = new system = more data [MBs]
Ok and If someone of you said first option is what I need. How then I can bind ports If jimmy will run Node.js web server with port 8080 and another user will use same port? With Docker I can handle this I guess before container start.
debian docker chroot
Ok so I'm using Docker and I'm not familiar w/ Chroot jail yet.
I have Docker image w/ installed Debian / Node.js. But I want that every single Debian user can run their own Node.js application w/o root access in Docker.
Example:
- user: jimmy
- home: /home/jimmy
- shell: /bin/bash
So jimmy now can run Node.js application because he has /bin/bash shell. But he can also modify whole system (he can do for example "rm -R /etc"). Am I right?
Then I can for example modify jimmy's shell: /usr/sbin/nologin and give him option to only start/stop Node.js instance from WEB UI... but in Node.js using "fs" module he can modify whole system. Am I right?
So now If I was right I have 2 options
- I think I can create "chroot jail" for jimmy. So /home/jimmy will be chroot jail. He can run his Node.js application and he can not modify whole system. Node.js "fs" will be restricted only for /home/jimmy. Am I right?
- Do not care and just init new Docker container for jimmy... This is great options but I think = new container = new system = more data [MBs]
Ok and If someone of you said first option is what I need. How then I can bind ports If jimmy will run Node.js web server with port 8080 and another user will use same port? With Docker I can handle this I guess before container start.
debian docker chroot
asked Apr 18 at 16:18
Altaula
101
101
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
You seem to have some misconceptions about user logins.
With /bin/bash
or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc
is probably not writable by by jimmy
so they should not be able to rm
the entire directory.
You are correct about using /usr/sbin/nologin
, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.
No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.
You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.
If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.
I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
â Altaula
Apr 18 at 17:20
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You seem to have some misconceptions about user logins.
With /bin/bash
or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc
is probably not writable by by jimmy
so they should not be able to rm
the entire directory.
You are correct about using /usr/sbin/nologin
, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.
No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.
You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.
If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.
I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
â Altaula
Apr 18 at 17:20
add a comment |Â
up vote
0
down vote
You seem to have some misconceptions about user logins.
With /bin/bash
or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc
is probably not writable by by jimmy
so they should not be able to rm
the entire directory.
You are correct about using /usr/sbin/nologin
, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.
No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.
You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.
If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.
I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
â Altaula
Apr 18 at 17:20
add a comment |Â
up vote
0
down vote
up vote
0
down vote
You seem to have some misconceptions about user logins.
With /bin/bash
or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc
is probably not writable by by jimmy
so they should not be able to rm
the entire directory.
You are correct about using /usr/sbin/nologin
, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.
No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.
You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.
If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.
You seem to have some misconceptions about user logins.
With /bin/bash
or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc
is probably not writable by by jimmy
so they should not be able to rm
the entire directory.
You are correct about using /usr/sbin/nologin
, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.
No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.
You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.
If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.
answered Apr 18 at 17:12
GracefulRestart
73417
73417
I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
â Altaula
Apr 18 at 17:20
add a comment |Â
I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
â Altaula
Apr 18 at 17:20
I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
â Altaula
Apr 18 at 17:20
I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
â Altaula
Apr 18 at 17:20
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f438551%2fdocker-chroot-jail-questions-node-js-kind-of-hosting%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password