Security: how to protect pm2 process and pm2 applications from being listed/stopped by other users? #260
Comments
|
pm2 cli should probably talk with a daemon over a unix socket, not tcp. This will solve permissions problems as well. |
|
@rlidwka you are right, so far I had just been using And, of course, since Cheers, |
|
This is a very serious issue for anyone having more than one user on a server. What is the solution? Why would even pm2 allow any other user to access pm2 started as a different user? |
|
Isn't this linked to the npm global install somehow ? |
|
#329 does not fix this |
|
I still have an issue related to this. I'm listening on a socket. The daemon is started as root and i'm using --run-as-user to start nodejs apps. But the socket doesn't get created. Of course, it's working if i'm starting the daemon as my own user name but we are in a multiuser environment. |
|
I still have this issue with version 0.10.1 (from npm or https://github.com/Unitech/PM2.git at this moment) : any local user can stop all apps handled by pm2 but then couldn't start these apps. |
|
Yes we're aware of this but it has been moved to #642 or how things would be resolved (1.0). |
Hello,
I haven't found anything about this security topic mentioned before, so here is an issue to talk about it.
At this time it's possible to start
pm2with a dedicated user, and it's good.But :
pm2process can be killed by any user simply logged on the production system:pm2 killpm2can be listed/stopped by any user simply logged on the production system:pm2 list,pm2 stop allA possible security model could be based on filesystem rights. This is very Unix. When called,
pm2could check the calling user rights on the.pm2directory:.pm2directory (i.e. can openrthe directory) → the user is allowed to runpm2 list.pm2directory (i.e. can openwthe directory) → the user is allowed to runpm2 stopThat way all the permissions will be dealt on the filesystem level. What do you think?
Cheers,
The text was updated successfully, but these errors were encountered: