bnoordhuis
commented
4 years ago Is --use-openssl-ca intended to be ignored if Linux capabilities are set
Yes. See the AT_SECURE entry in the getauxval(3) man page:
Has a nonzero value if this executable should be treated
securely. Most commonly, a nonzero value indicates that the
process is executing a set-user-ID or set-group-ID binary (so
that its real and effective UIDs or GIDs differ from one
another), or that it gained capabilities by executing a binary
file that has capabilitiesWhen the AT_SECURE flag is set by the kernel, node will ignore "sensitive" environment variables like NODE_EXTRA_CA_CERTS.
Node only knows it gained a capability, it doesn't know it's CAP_NET_BIND_SERVICE specifically.
wranders
Background
I'm using Xen-Orchestra to connect to servers and attempting to use an internal Certificate Authority to secure communications between the two. I've installed the root and intermediate certificates using
update-ca-certificatesandopenssl s_clientconfirms that they are recognized and in use.I'm running this application with
NODE_OPTIONs=--use-openssl-caand theCAP_NET_BIND_SERVICEcapability on Node to run the application on ports 80 and 443. SSL checks return errors (SELF_SIGNED_CERT_IN_CHAIN) when trying to connect to the other servers using certificates from my internal CA.Documentation for the
NODE_EXTRA_CA_CERTSenvironment variable states:In a last ditch effort, I removed the capability and configured the application to run on non-privileged ports and SSL checks succeeded.
Possible Bug
Is
--use-openssl-caintended to be ignored if Linux capabilities are set, just likeNODE_EXTRA_CA_CERTS, and just undocumented, or is this unintended and a bug?