Can we block a Node-red user from using OS commands using Exec or similar node?
you can disable the exec node via
nodesExcludes in settings,js
nodesExcludes: [ "75-exec.js"],
I believe that is beyond the scope of Node-Red.
Additionally, you can turn off external function modules or add entries to allow/deny list
Can't I then just use the function node to call
exec? There are probably many ways around this - Jsonata expression? A malicious user will always find a way ...
The user account which runs Node-red (Linux anyway) should not have elevated permissions such as sudo, then does it matter if they can access OS commands?
We are running multiple instance for a single OS user. One way is to create a non sudo user for all these instances .as you said
We can block exec node as others have mentioned .But still a malicious user may always find a way .
No. not if access to
process is inhibited:
_The function node runs in the context of a NodeJS VM with limited scope by default)
but, so long as the user can install something (via palette for example) there will always be a a way.
Key to locking down, as other have suggested, is limited accounts.
There are other avenues and approaches to explore too (run NR in docker/k8s, SSO login for accessing node-red, coupled with audit logging, good backups)
Hi again, I hate to sound like a broken record - I seem to be saying this more and more lately, but something like FlowFuse does pretty much everything you want - user management, easy setup of permitted modules, multiple instances, runs in docker or k8s, has platform/team/instance/user level audit logging, point in time snapshots etc. You can of course pay for it (hosted, ready made, secured, SSO sign in etc) but it is open source - just like Node-RED!
You should ALWAYS be doing that for a production instance of node-red. This is one of the weaker aspects of the Node-RED documentation stemming from its origins.
Treat Node-RED as another microservice and similar to any other web server. Run it under a dedicated user with limited access outside its own folders. And don't install Node-RED globally.
For a true multi-user configuration, run each user in their own container or even their own VM. If using containers, use something like Kubernetes and not Docker to orchestrate everything.