node-rc not dropping privs

[jschmidt3786]

I'm attempting to run https://github.com/louislam/uptime-kuma on a FreeBSD 13.3-RELEASE jail (VNET) on a 13.3-RELEASE host behind an nginx reverse proxy. I started from this write-up: https://it-notes.dragas.net/2024/07/22/install-uptime-kuma-freebsd-jail/ and wanted to make it a proper service via node-rc.

Everything works except for the privilege drop, despite setting node_user and node_group in rc.conf (it runs, but as root). The code was git cloned into the service user's home dir, all owned by service user's UID. The service runs fine when I su - to the user and run it from the shell.

the node_ entries I have in rc.conf:

node_enable="YES"
node_msg="uptime"
node_dir="/home/uptime/uptime-kuma/"
#node_logdir # I didn't set this, but did create '/home/uptime/uptime-kuma/logs/', owned by 'uptime:uptime'
node_user="uptime"
node_group="uptime"
node_app="server/server.js"

[rwestlund]

It's been a verrry long time since I've looked at this, but IIRC, the onus is on the script being started to drop privileges. If you're using node-rc/forever.js to start something that's going to bind to privileged ports, it'll have to do that and then drop privileges in the application code. All node-rc does is pass the desired user and group as environment variables.

If you're not using privileged ports, you can set up an intermediary script to change user and then exec the real script, or make changes to node-rc to suit your needs.

[jschmidt3786]

Thanks, Randy!