Docker | Chroot jail questions | Node.js kind of hosting

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












Ok so I'm using Docker and I'm not familiar w/ Chroot jail yet.



I have Docker image w/ installed Debian / Node.js. But I want that every single Debian user can run their own Node.js application w/o root access in Docker.



Example:



  1. user: jimmy

  2. home: /home/jimmy

  3. shell: /bin/bash

So jimmy now can run Node.js application because he has /bin/bash shell. But he can also modify whole system (he can do for example "rm -R /etc"). Am I right?



Then I can for example modify jimmy's shell: /usr/sbin/nologin and give him option to only start/stop Node.js instance from WEB UI... but in Node.js using "fs" module he can modify whole system. Am I right?



So now If I was right I have 2 options



  1. I think I can create "chroot jail" for jimmy. So /home/jimmy will be chroot jail. He can run his Node.js application and he can not modify whole system. Node.js "fs" will be restricted only for /home/jimmy. Am I right?

  2. Do not care and just init new Docker container for jimmy... This is great options but I think = new container = new system = more data [MBs]

Ok and If someone of you said first option is what I need. How then I can bind ports If jimmy will run Node.js web server with port 8080 and another user will use same port? With Docker I can handle this I guess before container start.







share|improve this question























    up vote
    0
    down vote

    favorite












    Ok so I'm using Docker and I'm not familiar w/ Chroot jail yet.



    I have Docker image w/ installed Debian / Node.js. But I want that every single Debian user can run their own Node.js application w/o root access in Docker.



    Example:



    1. user: jimmy

    2. home: /home/jimmy

    3. shell: /bin/bash

    So jimmy now can run Node.js application because he has /bin/bash shell. But he can also modify whole system (he can do for example "rm -R /etc"). Am I right?



    Then I can for example modify jimmy's shell: /usr/sbin/nologin and give him option to only start/stop Node.js instance from WEB UI... but in Node.js using "fs" module he can modify whole system. Am I right?



    So now If I was right I have 2 options



    1. I think I can create "chroot jail" for jimmy. So /home/jimmy will be chroot jail. He can run his Node.js application and he can not modify whole system. Node.js "fs" will be restricted only for /home/jimmy. Am I right?

    2. Do not care and just init new Docker container for jimmy... This is great options but I think = new container = new system = more data [MBs]

    Ok and If someone of you said first option is what I need. How then I can bind ports If jimmy will run Node.js web server with port 8080 and another user will use same port? With Docker I can handle this I guess before container start.







    share|improve this question





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      Ok so I'm using Docker and I'm not familiar w/ Chroot jail yet.



      I have Docker image w/ installed Debian / Node.js. But I want that every single Debian user can run their own Node.js application w/o root access in Docker.



      Example:



      1. user: jimmy

      2. home: /home/jimmy

      3. shell: /bin/bash

      So jimmy now can run Node.js application because he has /bin/bash shell. But he can also modify whole system (he can do for example "rm -R /etc"). Am I right?



      Then I can for example modify jimmy's shell: /usr/sbin/nologin and give him option to only start/stop Node.js instance from WEB UI... but in Node.js using "fs" module he can modify whole system. Am I right?



      So now If I was right I have 2 options



      1. I think I can create "chroot jail" for jimmy. So /home/jimmy will be chroot jail. He can run his Node.js application and he can not modify whole system. Node.js "fs" will be restricted only for /home/jimmy. Am I right?

      2. Do not care and just init new Docker container for jimmy... This is great options but I think = new container = new system = more data [MBs]

      Ok and If someone of you said first option is what I need. How then I can bind ports If jimmy will run Node.js web server with port 8080 and another user will use same port? With Docker I can handle this I guess before container start.







      share|improve this question











      Ok so I'm using Docker and I'm not familiar w/ Chroot jail yet.



      I have Docker image w/ installed Debian / Node.js. But I want that every single Debian user can run their own Node.js application w/o root access in Docker.



      Example:



      1. user: jimmy

      2. home: /home/jimmy

      3. shell: /bin/bash

      So jimmy now can run Node.js application because he has /bin/bash shell. But he can also modify whole system (he can do for example "rm -R /etc"). Am I right?



      Then I can for example modify jimmy's shell: /usr/sbin/nologin and give him option to only start/stop Node.js instance from WEB UI... but in Node.js using "fs" module he can modify whole system. Am I right?



      So now If I was right I have 2 options



      1. I think I can create "chroot jail" for jimmy. So /home/jimmy will be chroot jail. He can run his Node.js application and he can not modify whole system. Node.js "fs" will be restricted only for /home/jimmy. Am I right?

      2. Do not care and just init new Docker container for jimmy... This is great options but I think = new container = new system = more data [MBs]

      Ok and If someone of you said first option is what I need. How then I can bind ports If jimmy will run Node.js web server with port 8080 and another user will use same port? With Docker I can handle this I guess before container start.









      share|improve this question










      share|improve this question




      share|improve this question









      asked Apr 18 at 16:18









      Altaula

      101




      101




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          You seem to have some misconceptions about user logins.



          With /bin/bash or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc is probably not writable by by jimmy so they should not be able to rm the entire directory.



          You are correct about using /usr/sbin/nologin, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.



          No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.



          You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.



          If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.






          share|improve this answer





















          • I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
            – Altaula
            Apr 18 at 17:20










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f438551%2fdocker-chroot-jail-questions-node-js-kind-of-hosting%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          You seem to have some misconceptions about user logins.



          With /bin/bash or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc is probably not writable by by jimmy so they should not be able to rm the entire directory.



          You are correct about using /usr/sbin/nologin, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.



          No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.



          You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.



          If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.






          share|improve this answer





















          • I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
            – Altaula
            Apr 18 at 17:20














          up vote
          0
          down vote













          You seem to have some misconceptions about user logins.



          With /bin/bash or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc is probably not writable by by jimmy so they should not be able to rm the entire directory.



          You are correct about using /usr/sbin/nologin, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.



          No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.



          You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.



          If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.






          share|improve this answer





















          • I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
            – Altaula
            Apr 18 at 17:20












          up vote
          0
          down vote










          up vote
          0
          down vote









          You seem to have some misconceptions about user logins.



          With /bin/bash or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc is probably not writable by by jimmy so they should not be able to rm the entire directory.



          You are correct about using /usr/sbin/nologin, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.



          No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.



          You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.



          If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.






          share|improve this answer













          You seem to have some misconceptions about user logins.



          With /bin/bash or direct Nodejs access, a user can only modify files that they have permission to modify. Most of /etc is probably not writable by by jimmy so they should not be able to rm the entire directory.



          You are correct about using /usr/sbin/nologin, the user would not be able to log in to the system. Running a web UI for Nodejs access in this scenario, you would still need to make sure the web UI does not allow accessing files which you do not want it or the users having access to.



          No matter which solution you choose, you cannot run multiple services on the same IP address and port. You can either bind the service to the same port on a different IP address, or use a different port. A solution could be to have each user run on their port, then build a web server to serve as a proxy to each of those services.



          You talk about using Docker so I am not sure why you don't stick with that, though I do not know about possible user constraints you are working with. It is most like a chroot with additional isolation and network management. Docker is primarily designed to run a single service, so each user having their own container running an instance of Nodejs sounds like exactly such a use case.



          If Docker is not an option, I would recommend using chroot if you are confident you can do it properly. Otherwise, it sounds like your requirements could be met with a single system offering multi-user logins with proper permissions everywhere.







          share|improve this answer













          share|improve this answer



          share|improve this answer











          answered Apr 18 at 17:12









          GracefulRestart

          73417




          73417











          • I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
            – Altaula
            Apr 18 at 17:20
















          • I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
            – Altaula
            Apr 18 at 17:20















          I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
          – Altaula
          Apr 18 at 17:20




          I just want deploy something like Node.js hosting. But I think when I will deploy new Docker container for each user It will cost so many data (because Docker container include Debian... Node.js)... Docker is better in port forwarding u are right... But with Chroot I will use only 1 bin of node... only 1 Debian... U know what I mean? But still Chroot is probably bad w/ ports binding. How work companies like Heroku where I can create Node.js instance? Some virtual software like Docker or another VM or Chroot?
          – Altaula
          Apr 18 at 17:20












           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f438551%2fdocker-chroot-jail-questions-node-js-kind-of-hosting%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?