Using exec node as root

General
1

I'm new here so first of all hello to everyone.

I have a Victron Cerbo GX with Venus OS and a node-red v3.1.10 instance is running there. Node-red itself works fine, but I have a problem that I lost remote access to the device via ssh. Access is only from the local network, but now I'm far away and unfortunately I don't have the ability to log in from the local network. Node-red is started by the nodered user and I need root access. I know the root password, I have access to the device console etc.

I could modify rc.local to start VPN and restore access. I'm trying to run various commands in the exec node, but everything works for the nodered user, using sudo requires entering the password from the terminal and this can't be done in the node, and ASK_SUDO and then sudo -A doesn't work in the exec node although I know it works on Venus OS itself (I checked on another device with the same configuration).

Does anyone have an idea how to run commands in the exec node as root?

2

I use this in an exec node on one of my flows to shutdown a Raspberry Pi.

echo " <insert password here> " | sudo -S shutdown -h now

thurs_shutdown
thurs_shutdown697×156 12.6 KB

Be cautious:
This exposes your password in plaintext, which is insecure and should be avoided in most situations.

3

A better idea, avoiding using your password in plain text in the flows file, is to use sudo your_command in the exec node, and, in a command window, run sudo visudo to allow the node red user to run that command with sudo without having to enter a password.
So, for example, to allow the use of sudo shutdown in an exec node, for the user nodered, use sudo visudo and add

nodered ALL=(ALL) NOPASSWD: /sbin/shutdown

1 Like
4

A tiny tweek to @dynamicdave's suggestion is to use (eg)

echo "Password1" | sudo -kS shutdown -h now

The -k flag resets the sudo timer, ensuring that sudo does ask for the password every time.

5

But still the system password is included in plain text in the flow, which is a really bad idea.

1 Like
6

Thanks for the quick replies.

@dynamicdave and @jbudd
Passing the password this way does not work on my Node-red instance. I tried a few other methods and they don't work in Node-red either.

@Colin
Modifying sudoers is possible for root via ssh, but I don't have that access and I want to get it. I'll do it when I get access :wink:

7

Don't modify the file directly, use visudo, unless there is really no other option. Otherwise you may end up with a messed up system.

8

Yes of course it is a really bad idea to expose your password in the flow file.

I think @lukjasin said he does not have ssh access. How can he run visudo?

9

Perhaps this is a feature of the Vicron setup, it works for me on a Raspberry Pi.

Can you show us your exec command and the output from exec's stderr?
Obfuscate your password before posting!

10

He said he is going to get it:

11

I read that as I'll do it when I get access [by Node-red jiggery-pokery]

I found that I can use exec and a sed command file to edit a root-owned file in a directory I don't have write access to.

echo 'Password1' | sudo -kS sed -i -f /home/pi/sedfile /var/log/junk
12

It would be dangerous to use something like that to edit /etc/sudoers as, if you mess that up, you can end up with an unusable system.

13

I spent quite a bit of time trying different ways to get around the limitations of VenusOS on a Cerbo GX using Node-red - mostly to try and regain access or run privileged commands directly from a flow. And turns out not much luck :sweat_smile:

Even though echo 'password' | sudo -S ... works fine in a terminal, it doesn’t behave the same in a node-red exec node. Looks like stdin doesn’t get passed to sudo properly in that context.
VenusOS comes with a super minimal version of sudo, no support for sudo_askpass (checked with sudo -V, nothing mentioned) and requires tty for password input, which node-red obviously doesn’t have.
I tried all the usual tricks (echo + sudo, askpass, custom scripts) but it always ends up failing or just silently doing nothing. So yeah, its not really possible to elevate privileges through ode-red alone on this system.

Guess I’ll need to find someone local to connetc into the Cerbo and fix things manually.

And damn… it’s been ages since I last used sed😄