Linux Node-Red File Permissions

General
1

Hi Guys,

I am relatively new to Linux and Node Red and have been trying to find a guide on configuring the Linux (Debian 9) file system for use with Node-Red. I am trying to secure the Node-Red system using the Node-Red-Admin tools as per the user guide using sudo (https://nodered.org/docs/user-guide/node-red-admin), but it is throwing permission denied errors. I suspect I will also run into errors when I install SQLITE and try to create a database.

I am using a single board Linux box (not a Pi) using a named user with sudo priveledges, not root.

Is there a guide anypone kinows of on how the file structure should be setup including permissionins to allow seamless operation of Node-Red without turning off all security?

Cheers.

2

You will need to share the errors. Running as sudo shouldn't give any permission errors since, by definition, you are taking on the persona of "root". It isn't impossible for root to be denied access but it implies a fairly messed up installation if you do.

The only things you should install with sudo in regard to Node-RED is anything that you really need to install globally. For example, if using npm install -g .... That should only be Node-RED itself and node-red-admin.

A good way to see the best configuration for a "standard" install is to look at Dave's script for the Pi. In fact, as you are using Debian, there is a very good chance that his script will work for you anyway. Though it would install some Pi specific nodes that you don't really need. It also assumes that you are using the user pi as well I think, you could always just temporarily create the pi user I guess.

Other than the two global installs, you should install everything else as the user you want to run Node-RED. If using systemd to run on boot, you will also need to specify the user in the start script.

Otherwise, Node-RED runs happily in user space with standard permissions. You will need to add your user to any special groups like wheel for hardware access but that is all.

3

actually the script asks if you want the Pi nodes or not - and it also runs as the user you run it as and modifies the service start file to suit - so it should run just fine on debian as any user. It will ask for sudo password to install node.js and the core of Node-RED as root.

1 Like
4

I knew that I shouldn't have doubted you Dave :grinning:

5

I did use the debian install script and declined the Pi nodes option. The issue I am running into is around the node-red-admin install for the security guide:
sudo npm install -g node-red-admin
I am getting the following output:

sudo npm install -g node-red-admin

/usr/bin/node-red-admin -> /usr/lib/node_modules/node-red-admin/node-red-admin.js

> bcrypt@3.0.7 install /usr/lib/node_modules/node-red-admin/node_modules/bcrypt
> node-pre-gyp install --fallback-to-build

node-pre-gyp WARN Using request for node-pre-gyp https download
node-pre-gyp WARN Pre-built binaries not installable for bcrypt@3.0.7 and node@12.13.1 (node-v72 ABI, glibc) (falling back to source compile with node-gyp)
node-pre-gyp WARN Hit error EACCES: permission denied, mkdir '/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib'
gyp WARN EACCES current user ("nobody") does not have permission to access the dev dir "/root/.cache/node-gyp/12.13.1"
gyp WARN EACCES attempting to reinstall using temporary dev dir "/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/.node-gyp"
gyp WARN install got an error, rolling back install
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: EACCES: permission denied, mkdir '/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/.node-gyp'
gyp ERR! System Linux 4.4.0-cip-uc8100+
gyp ERR! command "/usr/bin/node" "/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "configure" "--fallback-to-build" "--module=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding/bcrypt_lib.node" "--module_name=bcrypt_lib" "--module_path=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding" "--napi_version=5" "--node_abi_napi=napi" "--napi_build_version=0" "--node_napi_label=node-v72"
gyp ERR! cwd /usr/lib/node_modules/node-red-admin/node_modules/bcrypt
gyp ERR! node -v v12.13.1
gyp ERR! node-gyp -v v5.0.5
gyp ERR! not ok
node-pre-gyp ERR! build error
node-pre-gyp ERR! stack Error: Failed to execute '/usr/bin/node /usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js configure --fallback-to-build --module=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding/bcrypt_lib.node --module_name=bcrypt_lib --module_path=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding --napi_version=5 --node_abi_napi=napi --napi_build_version=0 --node_napi_label=node-v72' (1)
node-pre-gyp ERR! stack     at ChildProcess.<anonymous> (/usr/lib/node_modules/node-red-admin/node_modules/node-pre-gyp/lib/util/compile.js:83:29)
node-pre-gyp ERR! stack     at ChildProcess.emit (events.js:210:5)
node-pre-gyp ERR! stack     at maybeClose (internal/child_process.js:1021:16)
node-pre-gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5)
node-pre-gyp ERR! System Linux 4.4.0-cip-uc8100+
node-pre-gyp ERR! command "/usr/bin/node" "/usr/lib/node_modules/node-red-admin/node_modules/.bin/node-pre-gyp" "install" "--fallback-to-build"
node-pre-gyp ERR! cwd /usr/lib/node_modules/node-red-admin/node_modules/bcrypt
node-pre-gyp ERR! node -v v12.13.1
node-pre-gyp ERR! node-pre-gyp -v v0.13.0
node-pre-gyp ERR! not ok
Failed to execute '/usr/bin/node /usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js configure --fallback-to-build --module=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding/bcrypt_lib.node --module_name=bcrypt_lib --module_path=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding --napi_version=5 --node_abi_napi=napi --napi_build_version=0 --node_napi_label=node-v72' (1)
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: bcrypt@3.0.7 (node_modules/node-red-admin/node_modules/bcrypt):
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: bcrypt@3.0.7 install: `node-pre-gyp install --fallback-to-build`
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: Exit status 1

+ node-red-admin@0.1.5
updated 1 package in 65.314s
6

I run node-red on debian, but i am wondering as you state:

I am trying to secure the Node-Red system using the Node-Red-Admin tools

Although I never heard of node-red-admin, it is used for:

The node-red-admin command-line tool allows you to remotely administer a Node-RED instance.

How does this make node-red secure ?

sidenote: your output shows that it was installed, (although you get some errors for bcrypt, but it will continue).

7

I was following the guide to secure access to the programming interface as the Linux system will not be in a secure environment (https://nodered.org/docs/user-guide/runtime/securing-node-red).

Part of securing the interface is generating the password hash which they recommend using the node-red-admin command line tool.

When I ran the install, I sawe a whole heap of errors and assumed that it had failed, but as you have pointed out, it did install and does work :slight_smile:

My concern now is the error being thrown for file access permissions. Really I am chasing feedback as to whether I need to cange permissions on any of the folders to allow installtion of any additional modules or allow a node-red flow to create files (i.e. SQLite DB). By the sounds of it, I should be OK??

I am now running into issues with SQLite insrtallation which I need to search the forum for answers.

8

You need to check out the permissions on these folders to find out what is happening.

Well that is kind of correct in that user "nobody" shouldn't have any access to that folder which belongs to root.

It is time you told us which board because frankly I'm not convinced you have a well installed version of Linux there.

9

I am using a Moxa UC-8112 industrial Linux PC. I thought I was running Debioan 9, but it looks like Debian 10!!

Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

Will Debian 10 cause me grief?

10

Will Debian 10 cause me grief?

No. I am running 10.

You really should have installed it without using sudo.
To proceed without using node-red-admin and hash the password:

Alternative, you can run the following command from within the Node-RED install directory:

node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here

What version of npm and node are you using ? (npm -v, node -v)