node.js Error: getaddrinfo ENOTFOUND making http request in chroot jail

Question

I'm trying to execute a node.js child process in a chroot jail to prevent it from accessing the filesystem outside of its directory.

However, when I do this, the application can no longer make http requests via the 'request' module. Any request I make ends in the 'Error: getaddrinfo ENOTFOUND'.

There is one issue that was closed in the node.js project that seems to suggest you need to replace the implementation of dns.lookup or copy /etc/resolv.conf into the jail (neither worked for me): https://github.com/joyent/node/issues/3399

There is also a Google groups thread: https://groups.google.com/forum/#!topic/nodejs/Qb_LMLulZS4

This seems to recommend that you should "put the bind libraries and all its dependencies also into the jail." I don't understand that statement.

Anyone gotten this to work correctly that could share what they did?

Answer 1

Maybe it is not answer your question but i want to provide results of my research.

var ls = require('child_process').spawn('chroot', ['/mnt/chroot/wheezy-chroot', 'node', '/root/simple-server.js']);

ls.stdout.on('data', function (data) {
  console.log('stdout: ' + data);
});

ls.stderr.on('data', function (data) {
  console.log('stderr: ' + data);
});

ls.on('close', function (code) {
  console.log('child process exited with code ' + code);
});

This script works properly -- simple-server.js listen and answer post queries as it should to so I want to ask: how do you create your chroot environment? I've created mine with debootstrap utility from Debian:

cd /mnt/chroot/
debootstrap wheezy ./wheezy-chroot http://ftp.us.debian.org/debian
cd wheezy-chroot

then mount proc, sys and dev as usual:

mount -t proc none proc
mount --rbind /dev dev
mount --rbind /sys sys

and also I mount /usr/local/ to get access to node. I suggest that "put the bind libraries and all its dependencies also into the jail." statement means to mount all things you need e.g. mount -o bind /usr/local /mnt/chroot/wheezy-chroot/usr/local in my case.

In case I'm completly missed with my answer i'll leave this link: https://github.com/magne4000/node-jail -- may be you find this package usefull.

And the last thing: as far as I know chroot is not safe solution in some cases(http://en.wikipedia.org/wiki/Chroot#Limitations). May be you should have a look at such mechanisms like FreeBSD Jail or even LXC.

Answer 2

I don't know about chroot in child process.

But for using the chroot npm package, I found that if I did a dns.lookup() just before chroot, dns lookup would work well even after chroot.

dns.lookup() will load the necessary libraries for getaddrinfo() call into memory before chroot.