Can we block a Node-red user from using OS commands using Exec or similar node?
you can disable the exec node via nodesExcludes
in settings,js
nodesExcludes: [ "75-exec.js"],
I believe that is beyond the scope of Node-Red.
Additionally, you can turn off external function modules or add entries to allow/deny list
Can't I then just use the function node to call exec
? There are probably many ways around this - Jsonata expression? A malicious user will always find a way ...
The user account which runs Node-red (Linux anyway) should not have elevated permissions such as sudo, then does it matter if they can access OS commands?
We are running multiple instance for a single OS user. One way is to create a non sudo user for all these instances .as you said
We can block exec node as others have mentioned .But still a malicious user may always find a way .
No. not if access to process
is inhibited:
_The function node runs in the context of a NodeJS VM with limited scope by default)
but, so long as the user can install something (via palette for example) there will always be a a way.
Key to locking down, as other have suggested, is limited accounts.
There are other avenues and approaches to explore too (run NR in docker/k8s, SSO login for accessing node-red, coupled with audit logging, good backups)
Hi again, I hate to sound like a broken record - I seem to be saying this more and more lately, but something like FlowFuse does pretty much everything you want - user management, easy setup of permitted modules, multiple instances, runs in docker or k8s, has platform/team/instance/user level audit logging, point in time snapshots etc. You can of course pay for it (hosted, ready made, secured, SSO sign in etc) but it is open source - just like Node-RED!
You should ALWAYS be doing that for a production instance of node-red. This is one of the weaker aspects of the Node-RED documentation stemming from its origins.
Treat Node-RED as another microservice and similar to any other web server. Run it under a dedicated user with limited access outside its own folders. And don't install Node-RED globally.
For a true multi-user configuration, run each user in their own container or even their own VM. If using containers, use something like Kubernetes and not Docker to orchestrate everything.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.