src: allow CAP_NET_BIND_SERVICE in SafeGetenv

[danbev]

This commit updates SafeGetenv to check if the current process has the
effective capability cap_net_bind_service set, and if so allows
environment variables to be read.

The motivation for this change is a use-case where Node is run in a
container, and the is a requirement to be able to listen to ports
below 1024. This is done by setting the capability of
cap_net_bind_service. In addition there is a need to set the
environment variable NODE_EXTRA_CA_CERTS. But currently this
environment variable will not be read when the capability has been set
on the executable.

---

Manual tests

No caps or setuid

$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
Warning: Ignoring extra certs from `something`, load failed: error:02001002:system library:fopen:No such file or directory
17.0.0-pre                                                                   

Environment variables should be readable, hence the warning.

With multiple caps

$ sudo setcap cap_net_broadcast,cap_net_bind_service+p out/Release/node        
$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
17.0.0-pre                                                                      

Environment variables are not readable (no warning).

With only cap_net_bind_service cap

$ sudo setcap cap_net_bind_service+p out/Release/node                          
$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
Warning: Ignoring extra certs from `something`, load failed: error:02001002:system library:fopen:No such file or directory
17.0.0-pre                                                                      

Environment variables should be readable, hence the warning.

With setuid with no caps

$ sudo setcap -r out/Release/node                                               
$ getcap out/Release/node                                                       
$ su -                                                                          
[root@localhost ~]# cd /home/danielbevenius/work/nodejs/node                    
[root@localhost node]# chown root:root out/Release/node                         
[root@localhost node]# chmod u+s out/Release/node                               
[root@localhost node]# exit                                                     
$ ls -l out/Release/node                                                        
-rwsrwxr-x. 1 root root 78713256 Mar 29 11:04 out/Release/node                  
$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
17.0.0-pre                                                                      

Environment variables are not readable (no warning).

With setuid with multiple caps

$ sudo setcap cap_net_broadcast,cap_net_bind_service+p out/Release/node        
$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
17.0.0-pre                                                                      

Environment variables are not readable (no warning).

With setuid and only cap_net_bind_service cap

$ sudo setcap cap_net_bind_service+ep out/Release/node                          
$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
17.0.0-pre                                                                      

Environment variables are not readable (no warning).

[addaleax]

This is a separate function so that it does not affect and JavaScript methods that currently use SafeGetenv.

Could you maybe add some guidance documentation on the situations in which when one would use SafeCapGetenv over SafeGetenv or vice versa? My impression is that they seem to serve the same purpose, and that we should stick with one, unless there’s a fundamental difference in semantics here (especially since capabilities on Linux can be very far-reaching, to the point where there is little difference between having them and being in a setuid environment). That would make the logical conclusion here for me that we should either a) stick with SafeGetenv() if loading NODE_EXTRA_CA_CERTS from a setuid/elevated-capability binary or b) use plain getenv() in this scenario if not.

[danbev]

Could you maybe add some guidance documentation on the situations in which when one would use SafeCapGetenv over SafeGetenv or vice versa?

The use-case we have is that we have a requirement that when running in a container to run the process as a non-root user. In addition the container in question also needs to be able to listen to privileged ports, hence it is setting a capability on the node executable (per_process::linux_at_secure will be true).

There is also a requirement to set the environment variable NODE_EXTRA_CA_CERTS which is currently not possible due to the way SafeGetenv works.

UseExtraCaCerts is only called once upon startup and and is the only time that NODE_EXTRA_CA_CERTS is potentially read. Adding SafeCapGetenv would allow this environment variable to take effect even if a capability is set on node executable, but not allow JavaScript code to call it.

It would be really nice if it was possible to allow the usage of NODE_EXTRA_CA_CERTS in situations like the above and perhaps we could just call getenv() in this case like you suggested. I'd be fine with that but was not sure if I had a clear understanding of all the implications of doing that, which was the reason for this PR.

[addaleax]

@danbev Yeah, I understand all that, but … the problem is that “capabilities” in general is very broad and effectively equivalent to a setuid setting. I’m not sure if it’s feasible to check for only specific capabilities (I assume that would be CAP_NET_BIND_SERVICE here) and allow the regular SafeGetenv() to proceed when only that capability (or similarly harmless ones) are set.

It would be really nice if it was possible to allow the usage of NODE_EXTRA_CA_CERTS in situations like the above and perhaps we could just call getenv() in this case like you suggested. I'd be fine with that but was not sure if I had a clear understanding of all the implications of doing that, which was the reason for this PR.

I’d be worried about things like excerpts from the specified file showing up in error messages, for example, which would give users an opportunity to read (at least pieces of) files that they would not otherwise have access to.

[danbev]

I’d be worried about things like excerpts from the specified file showing up in error messages, for example, which would give users an opportunity to read (at least pieces of) files that they would not otherwise have access to.

Ah right, I had not considered that. I was mainly thinking about how setting this value could be abused at the time of setting it. This sounds like a risk and while I initially thought this would be a good idea I'm seeing that is is not 😞

Thanks for taking the time to review and comment, I appreciate it.

[addaleax]

@danbev Fwiw, I think it would be a feasible approach to adjust SafeGetenv() to verify whether CAP_NET_BIND_SERVICE is the only capability that’s set, in which case it should be fine to proceed with returning the environment variables.

[danbev]

@addaleax I'll take a look at doing that, thanks!

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/36757/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/36760/

[addaleax]

Yeah, I think this makes sense 👍

[danbev]

@addaleax @targos Thanks for the reviews!

[mhdawson]

The code looks ok to me, but I was wondering about this addition:

      [ 'OS in "linux"', {
        'ldflags': [ '-Wl,-Bstatic -Wl,--whole-archive -lcap -Wl,--no-whole-archive -Wl,-Bdynamic' ],
      }],

Is there anywhere else that we've done something similar?

[danbev]

Is there anywhere else that we've done something similar?

Not that I'm aware of.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/39865/

[mhdawson]

LGTM

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/40025/

[danbev]

Landed in 3f61940.