Hi, me again, sorry! 
As per the thread shown below, the default working folder - as shown by an exec node running pwd on a Linux server or cd on Windows - clearly shows the working folder as being the one that the Node-RED package is installed to.
This to me feels wrong and possibly even a security issue (not sure about that, I've not done extensive testing).
I believe that it would be far more sensible to either use the userDir folder or the system's tmp or temp folder.
I can only talk about Linux, specifically Debian (RPiOS) but the /tmp directory gets cleared out at reboot so you couldn't use that.
I believe that the right place for personal data is under the user's home directory. ie /home/pi/.node-red. By default userDir is commented out in settings,js but the example path is Nick's home directory/.node-red.
The installation script does of course put application components in system directories but my non privileged user does not have write access to these.
An exec of pwd returns /home/pi, which I do think is a little odd. It means for instance that files saved from NR without an absolute path go to /home/pi not /home/pi/.node-red
The result of pwd in the thread you linked shows an almost certainly erroneous installation.
The poster claims to have write permission for this folder from the command line, so they are presumably logging in as root.
It may be an esoteric OS with it's own installation process.
The pi/Debian install script sets the working directory in the systemd script that it provides. It is set to the home directory of the user configured to run node-red.
I agree with @jbudd either the script does not work correctly on the device in the thread you linked to, or the user did not use the script, or did not use it correctly in some way.
So which "user"? This is an important distinction. Production/live environments should be using a dedicated user for Node-RED. Pi's and similar are potential outliers in their fairly extreme use of the normally logged in user such as pi.
But overall, I wouldn't fully disagree with you. It is a possibility for sure.
Not quite completely true. If no userDir is specified in settings.js or in a startup command, it defaults to the .node-red sub-folder of the user running Node-RED.
So Node-RED always has - indeed must-have - a userDir and that folder structure MUST, by definition, be writable by Node-RED otherwise a lot of functionality is lost (no ability to save flows for example).
At least an odd install. But that isn't the issue here. It is that Node-RED does not set a sensible working directory and instead leaves it up to the way it was installed.
Which again would indicate that setting the pwd deliberately for node-red would be beneficial all round.
The problem with that is that it only covers a single use-case on a single(ish) OS.
It is not true on Windows and is not true if you don't use the script to install.
And so we are back to a situation that is relatively uncontrolled with working folders that can be inappropriate for sensible and safe operation.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy