From 526eed0ed3250297bf8db4217a8d47f371a409d8 Mon Sep 17 00:00:00 2001 From: Kevin Lentin Date: Tue, 7 Feb 2023 18:12:39 +1100 Subject: [PATCH 1/3] test: assume priv ports start at 1024 if it can't be changed An update to test/parallel/test-cluster-bind-privileged-port.js checks the lowest privileged port to ensure 42 is privileged This only works on kernels > 4.1. On older kernels, this is locked at 1024 so the check is not needed. Fixes: https://github.com/nodejs/node/issues/45838 --- test/parallel/test-cluster-bind-privileged-port.js | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/test/parallel/test-cluster-bind-privileged-port.js b/test/parallel/test-cluster-bind-privileged-port.js index 11a8aa6659335e..a67b1658bbaffd 100644 --- a/test/parallel/test-cluster-bind-privileged-port.js +++ b/test/parallel/test-cluster-bind-privileged-port.js @@ -24,12 +24,16 @@ const common = require('../common'); const assert = require('assert'); const cluster = require('cluster'); const net = require('net'); -const { readFileSync } = require('fs'); +const { readFileSync, statSync } = require('fs'); if (common.isLinux) { - const unprivilegedPortStart = parseInt(readFileSync('/proc/sys/net/ipv4/ip_unprivileged_port_start')); - if (unprivilegedPortStart <= 42) { - common.skip('Port 42 is unprivileged'); + const procFileName = '/proc/sys/net/ipv4/ip_unprivileged_port_start'; + // Does not exist for Kernel < 4.1 where answer is 1024. So only test limit if limit exists + if (statSync(procFileName, { throwIfNoEntry: false })) { + const unprivilegedPortStart = parseInt(readFileSync(procFileName)); + if (unprivilegedPortStart <= 42) { + common.skip('Port 42 is unprivileged'); + } } } From a5017cf1705b411e02ca38ad4d2904bc92bf015a Mon Sep 17 00:00:00 2001 From: Kevin Lentin Date: Wed, 8 Feb 2023 10:56:11 +1100 Subject: [PATCH 2/3] Update to remove TOCTOU stat-then-open pattern --- test/parallel/test-cluster-bind-privileged-port.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/test/parallel/test-cluster-bind-privileged-port.js b/test/parallel/test-cluster-bind-privileged-port.js index a67b1658bbaffd..4329d0b75df3a9 100644 --- a/test/parallel/test-cluster-bind-privileged-port.js +++ b/test/parallel/test-cluster-bind-privileged-port.js @@ -24,16 +24,18 @@ const common = require('../common'); const assert = require('assert'); const cluster = require('cluster'); const net = require('net'); -const { readFileSync, statSync } = require('fs'); +const { readFileSync } = require('fs'); if (common.isLinux) { - const procFileName = '/proc/sys/net/ipv4/ip_unprivileged_port_start'; - // Does not exist for Kernel < 4.1 where answer is 1024. So only test limit if limit exists - if (statSync(procFileName, { throwIfNoEntry: false })) { - const unprivilegedPortStart = parseInt(readFileSync(procFileName)); + try { + const sysctlOutput = execSync('sysctl net.ipv4.ip_unprivileged_port_start').toString(); + const unprivilegedPortStart = parseInt(sysctlOutput.split(' ')[2], 10); if (unprivilegedPortStart <= 42) { common.skip('Port 42 is unprivileged'); } + } catch { + // Do nothing, feature doesn't exist, minimum is 1024 so 42 is usable. + // Continue... } } From 1f161a1d5ce03e6ff1cc0631a36edda12cfddb8b Mon Sep 17 00:00:00 2001 From: Kevin Lentin Date: Thu, 9 Feb 2023 07:36:12 +1100 Subject: [PATCH 3/3] Previous update reverted old v18 method, now based on new v19 --- test/parallel/test-cluster-bind-privileged-port.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/parallel/test-cluster-bind-privileged-port.js b/test/parallel/test-cluster-bind-privileged-port.js index 4329d0b75df3a9..c971b7656f1221 100644 --- a/test/parallel/test-cluster-bind-privileged-port.js +++ b/test/parallel/test-cluster-bind-privileged-port.js @@ -28,8 +28,7 @@ const { readFileSync } = require('fs'); if (common.isLinux) { try { - const sysctlOutput = execSync('sysctl net.ipv4.ip_unprivileged_port_start').toString(); - const unprivilegedPortStart = parseInt(sysctlOutput.split(' ')[2], 10); + const unprivilegedPortStart = parseInt(readFileSync('/proc/sys/net/ipv4/ip_unprivileged_port_start')); if (unprivilegedPortStart <= 42) { common.skip('Port 42 is unprivileged'); }