Node.js v23.11.0 文档

权限#>

¥Permissions

源代码: src/permission.cc

权限可用于控制 Node.js 进程可以访问哪些系统资源,或者进程可以对这些资源执行哪些操作。

¥Permissions can be used to control what system resources the Node.js process has access to or what actions the process can take with those resources.

  • 基于进程的权限 控制 Node.js 进程对资源的访问。可以完全允许或拒绝资源,或者可以控制与其相关的操作。例如,可以允许文件系统读取而拒绝写入。此功能无法防止恶意代码。根据 Node.js 安全政策,Node.js 信任要求它运行的任何代码。

    ¥Process-based permissions control the Node.js process's access to resources. The resource can be entirely allowed or denied, or actions related to it can be controlled. For example, file system reads can be allowed while denying writes. This feature does not protect against malicious code. According to the Node.js Security Policy, Node.js trusts any code it is asked to run.

权限模型实现了 "安全带" 方法,可防止受信任的代码无意中更改文件或使用未明确授予访问权限的资源。它在存在恶意代码的情况下不提供安全保障。恶意代码可以绕过权限模型并执行任意代码,而不受权限模型施加的限制。

¥The permission model implements a "seat belt" approach, which prevents trusted code from unintentionally changing files or using resources that access has not explicitly been granted to. It does not provide security guarantees in the presence of malicious code. Malicious code can bypass the permission model and execute arbitrary code without the restrictions imposed by the permission model.

如果你发现潜在的安全漏洞,请参阅我们的 安全政策

¥If you find a potential security vulnerability, please refer to our Security Policy.

基于进程的权限#>

¥Process-based permissions

权限模型#>

¥Permission Model

版本历史
版本变更
v23.5.0

此功能不再是实验性的。

v20.0.0

新增于: v20.0.0

稳定性: 2 - 稳定的

¥Stability: 2 - Stable

Node.js 权限模型是一种在执行期间限制对特定资源的访问的机制。API 存在于标志 --permission 之后,启用后将限制对所有可用权限的访问。

¥The Node.js Permission Model is a mechanism for restricting access to specific resources during execution. The API exists behind a flag --permission which when enabled, will restrict access to all available permissions.

可用权限由 --permission 标志记录。

¥The available permissions are documented by the --permission flag.

使用 --permission 启动 Node.js 时,通过 fs 模块访问文件系统、生成进程、使用 node:worker_threads、使用原生插件、使用 WASI 和启用运行时检查器的能力将受到限制。

¥When starting Node.js with --permission, the ability to access the file system through the fs module, spawn processes, use node:worker_threads, use native addons, use WASI, and enable the runtime inspector will be restricted.

$ node --permission index.js

Error: Access to this API has been restricted
    at node:internal/main/run_main_module:23:47 {
  code: 'ERR_ACCESS_DENIED',
  permission: 'FileSystemRead',
  resource: '/home/user/index.js'
}

允许访问生成进程和创建工作线程可以分别使用 --allow-child-process--allow-worker 来完成。

¥Allowing access to spawning a process and creating worker threads can be done using the --allow-child-process and --allow-worker respectively.

要在使用权限模型时允许原生插件,请使用 --allow-addons 标志。对于 WASI,请使用 --allow-wasi 标志。

¥To allow native addons when using permission model, use the --allow-addons flag. For WASI, use the --allow-wasi flag.

运行时 API#>

¥Runtime API

通过 --permission 标志启用权限模型时,新属性 permission 将添加到 process 对象。此属性包含一个功能:

¥When enabling the Permission Model through the --permission flag a new property permission is added to the process object. This property contains one function:

permission.has(scope[, reference])#>

在运行时检查权限的 API 调用 (permission.has())

¥API call to check permissions at runtime (permission.has())

process.permission.has('fs.write'); // true
process.permission.has('fs.write', '/home/rafaelgss/protected-folder'); // true

process.permission.has('fs.read'); // true
process.permission.has('fs.read', '/home/rafaelgss/protected-folder'); // false

文件系统权限#>

¥File System Permissions

默认情况下,权限模型通过 node:fs 模块限制对文件系统的访问。它不能保证用户无法通过其他方式(例如通过 node:sqlite 模块)访问文件系统。

¥The Permission Model, by default, restricts access to the file system through the node:fs module. It does not guarantee that users will not be able to access the file system through other means, such as through the node:sqlite module.

要允许访问文件系统,请使用 --allow-fs-read--allow-fs-write 标志:

¥To allow access to the file system, use the --allow-fs-read and --allow-fs-write flags:

$ node --permission --allow-fs-read=* --allow-fs-write=* index.js
Hello world!

两个标志的有效参数是:

¥The valid arguments for both flags are:

  • * - 分别允许所有 FileSystemReadFileSystemWrite 操作。

    ¥* - To allow all FileSystemRead or FileSystemWrite operations, respectively.

  • 以逗号 (,) 分隔的路径分别仅允许匹配 FileSystemReadFileSystemWrite 操作。

    ¥Paths delimited by comma (,) to allow only matching FileSystemRead or FileSystemWrite operations, respectively.

示例:

¥Example:

  • --allow-fs-read=* - 它将允许所有 FileSystemRead 操作。

    ¥--allow-fs-read=* - It will allow all FileSystemRead operations.

  • --allow-fs-write=* - 它将允许所有 FileSystemWrite 操作。

    ¥--allow-fs-write=* - It will allow all FileSystemWrite operations.

  • --allow-fs-write=/tmp/ - 它将允许 FileSystemWrite 访问 /tmp/ 文件夹。

    ¥--allow-fs-write=/tmp/ - It will allow FileSystemWrite access to the /tmp/ folder.

  • --allow-fs-read=/tmp/ --allow-fs-read=/home/.gitignore - 它允许 FileSystemRead 访问 /tmp/ 文件夹和 /home/.gitignore 路径。

    ¥--allow-fs-read=/tmp/ --allow-fs-read=/home/.gitignore - It allows FileSystemRead access to the /tmp/ folder and the /home/.gitignore path.

也支持通配符:

¥Wildcards are supported too:

  • --allow-fs-read=/home/test* 将允许读取与通配符匹配的所有内容。例如:/home/test/file1/home/test2

    ¥--allow-fs-read=/home/test* will allow read access to everything that matches the wildcard. e.g: /home/test/file1 or /home/test2

传递通配符 (*) 后,所有后续字符都将被忽略。例如:/home/*.js 的工作方式与 /home/* 类似。

¥After passing a wildcard character (*) all subsequent characters will be ignored. For example: /home/*.js will work similar to /home/*.

初始化权限模型时,如果指定的目录存在,它将自动添加通配符 (*)。例如,如果 /home/test/files 存在,它将被视为 /home/test/files/*。但是,如果目录不存在,则不会添加通配符,并且访问将仅限于 /home/test/files。如果要允许访问尚不存在的文件夹,请确保明确包含通配符:/my-path/folder-do-not-exist/*

¥When the permission model is initialized, it will automatically add a wildcard (*) if the specified directory exists. For example, if /home/test/files exists, it will be treated as /home/test/files/*. However, if the directory does not exist, the wildcard will not be added, and access will be limited to /home/test/files. If you want to allow access to a folder that does not exist yet, make sure to explicitly include the wildcard: /my-path/folder-do-not-exist/*.

将权限模型与 npx 结合使用#>

¥Using the Permission Model with npx

如果你使用 npx 执行 Node.js 脚本,则可以通过传递 --node-options 标志来启用权限模型。例如:

¥If you're using npx to execute a Node.js script, you can enable the Permission Model by passing the --node-options flag. For example:

npx --node-options="--permission" package-name

这将为 npx 生成的所有 Node.js 进程设置 NODE_OPTIONS 环境变量,而不会影响 npx 进程本身。

¥This sets the NODE_OPTIONS environment variable for all Node.js processes spawned by npx, without affecting the npx process itself.

npx 的 FileSystemRead 错误

¥FileSystemRead Error with npx

上述命令可能会抛出 FileSystemRead 无效访问错误,因为 Node.js 需要文件系统读取访问权限来定位和执行包。为了避免这种情况:

¥The above command will likely throw a FileSystemRead invalid access error because Node.js requires file system read access to locate and execute the package. To avoid this:

  1. 使用全局安装的软件包通过运行以下命令授予对全局 node_modules 目录的读取访问权限:

    ¥Using a Globally Installed Package Grant read access to the global node_modules directory by running:

    npx --node-options="--permission --allow-fs-read=$(npm prefix -g)" package-name

  2. 使用 npx 缓存如果你是临时安装软件包或依赖 npx 缓存,请授予对 npm 缓存目录的读取访问权限:

    ¥Using the npx Cache If you are installing the package temporarily or relying on the npx cache, grant read access to the npm cache directory:

    npx --node-options="--permission --allow-fs-read=$(npm config get cache)" package-name

你通常传递给 node 的任何参数(例如,--allow-* 标志)也可以通过 --node-options 标志传递。这种灵活性使得在使用 npx 时根据需要配置权限变得容易。

¥Any arguments you would normally pass to node (e.g., --allow-* flags) can also be passed through the --node-options flag. This flexibility makes it easy to configure permissions as needed when using npx.

权限模型约束#>

¥Permission Model constraints

在使用此系统之前,你需要了解一些限制条件:

¥There are constraints you need to know before using this system:

  • 该模型不会继承到子节点进程或工作线程。

    ¥The model does not inherit to a child node process or a worker thread.

  • 使用权限模型时,以下功能将受到限制:

    ¥When using the Permission Model the following features will be restricted:

    • 原生模块

      ¥Native modules

    • 子进程

      ¥Child process

    • 工作线程

      ¥Worker Threads

    • 检查器协议

      ¥Inspector protocol

    • 文件系统访问

      ¥File system access

    • WASI

  • 权限模型是在 Node.js 环境搭建完成后初始化的。但是,某些标志(例如 --env-file--openssl-config)被设计为在环境初始化之前读取文件。因此,此类标志不受权限模型规则的约束。这同样适用于可以通过 v8.setFlagsFromString 在运行时设置的 V8 标志。

    ¥The Permission Model is initialized after the Node.js environment is set up. However, certain flags such as --env-file or --openssl-config are designed to read files before environment initialization. As a result, such flags are not subject to the rules of the Permission Model. The same applies for V8 flags that can be set via runtime through v8.setFlagsFromString.

  • 当启用权限模型时,无法在运行时请求 OpenSSL 引擎,从而影响内置的 crypto、https 和 tls 模块。

    ¥OpenSSL engines cannot be requested at runtime when the Permission Model is enabled, affecting the built-in crypto, https, and tls modules.

  • 启用权限模型时无法加载运行时可加载扩展,从而影响 sqlite 模块。

    ¥Run-Time Loadable Extensions cannot be loaded when the Permission Model is enabled, affecting the sqlite module.

  • 通过 node:fs 模块使用现有文件描述符会绕过权限模型。

    ¥Using existing file descriptors via the node:fs module bypasses the Permission Model.

限制和已知问题#>

¥Limitations and Known Issues

  • 符号链接甚至会被跟踪到已授予访问权限的路径集之外的位置。相对符号链接可以允许访问任意文件和目录。在启用权限模型的情况下启动应用时,必须确保已授予访问权限的路径不包含相对符号链接。

    ¥Symbolic links will be followed even to locations outside of the set of paths that access has been granted to. Relative symbolic links may allow access to arbitrary files and directories. When starting applications with the permission model enabled, you must ensure that no paths to which access has been granted contain relative symbolic links.

Node.js 中文网 - 粤ICP备13048890号