Restarting node-red service in Bookworm OS

General
21

Hello @jbudd , @Colin and @DiverRich ,

Thanks for helping me out. yes it’s a revpi-nodered not the std. node-red.

Finally managed to execute a node-red restart and sudo reboot by

  1. Editing the ‘sudo nano /lib/systemd/system/nodered.service‘
	# systemd sandboxing process
	ProtectSystem=strict
	ProtectControlGroups=yes
	ProtectKernelModules=no
	ProtectKernelTunables=no
  1. Then created the override file with the below settings.
### Editing /etc/systemd/system/nodered.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file

	[Service]
	NoNewPrivileges=no
	ProtectSystem=on
	PrivateTmp=yes
  1. finally Added the service for node-red restart and reboot in sudo visudo
nodered ALL=NOPASSWD: /bin/systemctl restart nodered.service, /sbin/reboot

	nodered  ALL=(ALL)  NOPASSWD:  /usr/bin/node-red-restart
	Defaults:nodered !requiretty
  1. From my node-red exec node , using sudo /sbin/reboot and sudo /bin/systemctl restart nodered.service (refer the below picture)

image
image502×452 10.8 KB

I’m not certain if this is the most appropriate way to implement the functionality while ensuring security and avoiding potential vulnerabilities.

Kindly advise if anything can be improved with this approach.

@Colin : Thanks for the link (Documentation=https://gitlab.com/revolutionpi/noderedrevpinodes-server) , i will check this out.

Best Regards,

Mani

22

That looks good to me, though, since you are using the systemctl restart command to restart the service, not node-red-restatr, you don't need nodered ALL=(ALL) NOPASSWD: /usr/bin/node-red-restart

Well you have reduced the security by allowing sudo commands when running node-red. However, since you have limited that to the restart and reboot commands this is unlikely to be a problem. I assume that your node-red is not accessible to the internet anyway, so that means that any attacker has to have broken in via another route already, so restarting node-red or rebooting is unlikely to be a problem.

23

Thanks @Colin for your swift feedback.

Yes i too feel the same in terms of security.(only node-red restart and reboot).

Reaching out to the supplier to provide the most optimal solution.

Thanks for pointing-out ‘nodered ALL=(ALL) NOPASSWD: /usr/bin/node-red-restart‘ ,

it’ has been removed now.

Best Regards,

Mani

24

The most secure solution would be to use a cron task to do the reboot.