I was just playing with speedtest and it was suggested I use a Ubuntu command speedtest-cli
I installed it and it is installed in /usr/bin/
And - surprisingly to me in some ways - it works when I put it in the exec node.
WHY?
I thought node-red was sandboxed to it's directory and sub-folders.
Not super concerning, but just to help me learn.
An exec node can do anything that the user running node red can do. The sandbox is for the function node.
Can you expand on this?
This flow runs OS commands with execSync() in a function node.
I don't think I have made any changes in settings.js to enable this.
[{"id":"f25f5b82ef69d0c5","type":"function","z":"24571e38fbe87e0f","name":"function 10","func":"try {\n msg.payload = childProcess.execSync(msg.payload).toString().trim();\n} catch (err) {\n // If there's an error, attach it to the message\n msg.payload = `Error executing command: ${err.message}`;\n}\n\nreturn msg;","outputs":1,"timeout":0,"noerr":0,"initialize":"","finalize":"","libs":[{"var":"childProcess","module":"child_process"}],"x":670,"y":100,"wires":[["32aad220a2dded1f"]]},{"id":"f59cde23e2bc699e","type":"inject","z":"24571e38fbe87e0f","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"whoami","payloadType":"str","x":510,"y":100,"wires":[["f25f5b82ef69d0c5"]]},{"id":"32aad220a2dded1f","type":"debug","z":"24571e38fbe87e0f","name":"debug 4","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","statusVal":"","statusType":"auto","x":680,"y":140,"wires":[]},{"id":"eecb5aa49634c09c","type":"inject","z":"24571e38fbe87e0f","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"","payload":"sudo whoami","payloadType":"str","x":490,"y":140,"wires":[["f25f5b82ef69d0c5"]]}]
It is sandboxed from the node process running node-red. It uses the node VM
if you use process exec or spawn, etc, you can still do things like access the system. That is why you should always use a service account with just the right amount of permissions to do what you want to let node-red do to your system.
Thanks Steve.
And it is also important to know the 'sandbox' the Function node runs code in is not a completely secure sandbox. It prevents casual access to things that shouldn't be accessed, but JavaScript provides many ways to circumvent it.
Thanks all.
This came about because of what was mentioned in the first post.
So - to confirm I understand:
NR can run any command I can (non root).
Now to (sorry) digress....
So where does the public directory configured in the settings fit in?
Is that the ..... root directory for any file I/O?
Though if it is the root: why is it I have to keep putting in the full path from THE root (top) directory?
eg:
/home/me/.node-red/public/(what ever)
and not just (what ever)?
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy