Block a Node-red user from using OS commands

Can we block a Node-red user from using OS commands using Exec or similar node?

you can disable the exec node via nodesExcludes in settings,js

nodesExcludes: [ "75-exec.js"],
1 Like

I believe that is beyond the scope of Node-Red.

1 Like

Additionally, you can turn off external function modules or add entries to allow/deny list

see Configuration : Node-RED

1 Like

Can't I then just use the function node to call exec? There are probably many ways around this - Jsonata expression? A malicious user will always find a way ...

The user account which runs Node-red (Linux anyway) should not have elevated permissions such as sudo, then does it matter if they can access OS commands?

We are running multiple instance for a single OS user. One way is to create a non sudo user for all these instances .as you said

We can block exec node as others have mentioned .But still a malicious user may always find a way .

No. not if access to process is inhibited:

_The function node runs in the context of a NodeJS VM with limited scope by default)

but, so long as the user can install something (via palette for example) there will always be a a way.

Key to locking down, as other have suggested, is limited accounts.

There are other avenues and approaches to explore too (run NR in docker/k8s, SSO login for accessing node-red, coupled with audit logging, good backups)

1 Like

Hi again, I hate to sound like a broken record - I seem to be saying this more and more lately, but something like FlowFuse does pretty much everything you want - user management, easy setup of permitted modules, multiple instances, runs in docker or k8s, has platform/team/instance/user level audit logging, point in time snapshots etc. You can of course pay for it (hosted, ready made, secured, SSO sign in etc) but it is open source - just like Node-RED!

1 Like

You should ALWAYS be doing that for a production instance of node-red. This is one of the weaker aspects of the Node-RED documentation stemming from its origins.

Treat Node-RED as another microservice and similar to any other web server. Run it under a dedicated user with limited access outside its own folders. And don't install Node-RED globally.

For a true multi-user configuration, run each user in their own container or even their own VM. If using containers, use something like Kubernetes and not Docker to orchestrate everything.