setuid breaks local secure serving on linux

[kostadinnm]

When I add servor as a dev dependency and try run serve a local instance with the "--secure" flag (along with providing some server.key and server.crt files) I get an error at the line where you call process.setuid(501); stating:

UnhandledPromiseRejectionWarning: Error: EPERM, Operation not permitted If I remove that call, it passes effortlessly. Maybe there's a reason to changing the process uid that I am not competent enough. Anyways - if it can be made explicit you are breaking some security laws, it should be allowed, I think. Moreover, the browser is warning me as well any time I hit my homepage.

Kudos, Kosta

[lukejacksonn]

Hey man 👋 thanks for taking the time to try out servor and create this issue!

So I don't have a Linux environment to test on unfortunately so any attempts to make it work reliably cross OS was certainly a best effort attempt! Apologies for that.

If I recall correctly process.setuid(501) was done to deescalate privileges after the package is run with sudo (for mac users who want credentials generating and adding to the trusted store for them)..

You say that removing this line fixes the issue. Do you think we should just run this line conditionally if on MacOS? Is there a linux equivalent?

Sounds like a reasonably simple fix.. wopuld just need to check it doesn't break anything else!

[kostadinnm]

Well, I cannot judge which will be a good fix. In any case, I advice usage of any tool in the user space if possible. osx ones should be able to benefit from servor as I did from linux. Looking at the code though, it seems cert generation is osx-specific, thus need not mess with usage on other os-es. In those cases(linux/windows), you may tighten the requirements when passing the --secure flag to also require key/cert OR even more explicitly error back that "cert auto-generation is only supported on osx". Cheers, Kos

[lukejacksonn]

The actual cert/key generation does not require sudo (at least on osx it doesn't) and should work on any OS so long as openssl installed.. only the adding the credentials to the trusted store which required admin privileges (this is what prevents the browser showing a warning too).

The script is designed to work in user space only. This line of code is just there to revoke admin privileges if an osx user has ran as sudo in order to add credentials to the trusted store. It wasn't causing any issues on osx even when it wasn't ran as sudo but it is on linux.

Here is my suggestion, try add this check before the setuid call and see if it fixes it for you:

process.platform === 'darwin' && process.setuid(501);

Failing this.. I might just make it exit if it is being ran with sudo.. then log out instructions to start again without sudo.

[kostadinnm]

Confirmed:

[lukejacksonn]

Ok thanks! I will add this update to the next release 🎉