Run nodes with root privileges

#1

Hi everybody!
There are nodes requiring root privileges in order to run (i.e. amazondash, sonoff server, ..).
Is there a way to run those specific nodes in a "sudo" way?
Thanks!
Cheers

0 Likes

#2

What are the exact nodes you are interested in? Please use the exact name of the node. Searching for “Amazon” came up with node-red-contrib-amazon dash but it hasn’t been updated in three years...

Also you can’t run just one node as sudo, that would be escalation of privileges

0 Likes

#3

The usual way to handle this is to give a group the permissions to do whatever is needed then add the node-red user to that group. However, as @zenofmud said that does depend on the particular nodes you are using.

0 Likes

#4

Hi guys, thanks for your replies.
@zenofmud yep i'm using that node (amazondash), as well the sonoff server, that is quite old.
@Colin in linux you can handle permission in executing scripts changing the SUID permission instead of using sudo, but i don't like so much that way.
Actually now i'm running a second instance of nodered with root user (in order to run that kind of nodes), exchanging then datas with the standard user instance with mqtt, but it's just quick and dirty workaround.

0 Likes

#5

That is not what I meant. Most things that appear to require root access can also be accessed by members of a particular group. By adding the node-red user to that group node-red gains access to that part of the system. For example, on a pi, the user can be added to the gpio group to gain access to the i/o pins without requiring to be root.
What sonoff server are you trying to access?

1 Like

#6

This is the correct way, in general, to do it.

Obviously, whatever you do, be careful if you plan to ever give access to Node-RED over the internet, the more you change permissions, the more likely it is to come back and bite you.

0 Likes

#7

Hi @Colin, node-red-contrib-sonoff-server is the sonoff server you can't run if you are not root (or you don't have privileges) if i remember well, because of the websocket ports used (443).

0 Likes

#8

I believe you can use the setcap command to allow a user to bind to low numbered ports.

1 Like

#9

Yep @Colin, in that case sure.
And similarly in the case of amazondashbutton (Node-red on debian - libpcap/amazon dash).
So the answer to my first question is that no, it's not possible to run flows / nodes with root provileges.
You have to solve in the os side before all.
Or run another instance of node-red as root and then serve data e.g. through mqtt.
Is that correct?
Thanks
M

0 Likes

#10

Node-RED runs as a single process. That process either has privileges or it doesn't. The OS will treat all system calls from the process the same way.

0 Likes

#11

Yes, I believe so. However, the point is that it is much better to solve it by alternative means. Running node-red as root is likely to be a security risk. Also, when running as root, a bug in a node or a flow could compromise your system.

1 Like

#12

Got it!
Thanks guys for all the suggestions!

Cheers :slight_smile:

0 Likes