Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DietPi-Software | Node-RED: Run under nodered? #1294

Closed
TerryE opened this issue Dec 11, 2017 · 18 comments
Closed

DietPi-Software | Node-RED: Run under nodered? #1294

TerryE opened this issue Dec 11, 2017 · 18 comments
Assignees
Milestone

Comments

@TerryE
Copy link

TerryE commented Dec 11, 2017

Required Information:

  • DietPi Version: 159
  • SBC Device: RPi 3
  • Power supply used: RPI 3 standard 5V 2.5A
  • SD card used: Sandisk ultra 8Gb + USB attached Kingston UV400 120Gb SSD
  • Distro: 4.9.62-v7+ armv7l GNU/Linux

Additional Information (if applicable):

  • Node-red
  • Standard DietPi install

Expected behaviour:

Node red is intended to be run from an unprivileged service account (much in the same way that Apache2 uses typically www-data), and hence node red flow developers do not have direct access to root services. Linux provides standard sandboxing patterns (e.g. using /etc/sudoers) if specific privileged functions need to be made accessible to flows.

Actual behaviour:

Node-red runs as root, and this means that any flow has full root access to the processor.

Steps to reproduce:

Construct a minimal flow timestamp -> exec -> debug with the exec script as ps -u and you get a ps -u root listing. Alternatively replace this by a shutdown -H now to get a better idea of the vunlerability.

Did you submit a dietpi-bugreport?

No, not for this one.

Extra details:

I will post my suggested workaround here when done.

@k-plan k-plan changed the title Nodered service runs as root DietPi-Software | Nodered service runs as root Dec 11, 2017
@k-plan
Copy link
Contributor

k-plan commented Dec 11, 2017

@TerryE

Hi,
can you please share with us:

cat /etc/debian_version

Extra details:
I will post my suggested workaround here when done.

Nice, thanks. We are excited.

@TerryE
Copy link
Author

TerryE commented Dec 12, 2017

can you please share with us: cat /etc/debian_version

8.0

This install was only done a few days ago.

@Fourdee Fourdee added this to the v160 milestone Dec 12, 2017
@Fourdee
Copy link
Collaborator

Fourdee commented Dec 12, 2017

@TerryE

Thanks for the information, confirmed we currently use root for this installation:
https://github.com/Fourdee/DietPi/blob/master/dietpi/dietpi-software#L9742-L9764

@DarkElvenAngel
Copy link

I Have two installations where I use node-red my main NAS server and a Kodi box. It was a simple task to add a node-red user and setup sudo on my NAS. However it can be very convenient to have node-red running under root as it does on my Kodi box where I use it to shutdown and reboot the system.

I would suggest having an option to have node-red run under either it's own user or root

@TerryE
Copy link
Author

TerryE commented Dec 12, 2017

However it can be very convenient to have node-red running under root as it does on my Kodi box where I use it to shutdown and reboot the system.

@DarkElvenAngel , you do not need to run Node red as root to do this, but you do need to learn how to use sudoers.

@TerryE
Copy link
Author

TerryE commented Dec 12, 2017

@Fourdee Dan, the DietPi installation sometimes uses a convention which isn't aligned to normal Linux practices. I've raised this as a separate issue #1297

@DarkElvenAngel
Copy link

@TerryE your exactly right I don't need to run as root I just never bothered to set my Kodi box to run as it's own user

@DarkElvenAngel
Copy link

@Fourdee I have already set up and run node-red as it's own user would there be a good place to post my setup?

@Fourdee Fourdee self-assigned this Dec 13, 2017
@Fourdee Fourdee changed the title DietPi-Software | Nodered service runs as root DietPi-Software | Run nodered under www-data Dec 13, 2017
@Fourdee
Copy link
Collaborator

Fourdee commented Dec 13, 2017

@DarkElvenAngel

@Fourdee I have already set up and run node-red as it's own user would there be a good place to post my setup?

Thanks for the offer, by all means post if you are willing to share 👍

@DarkElvenAngel
Copy link

DarkElvenAngel commented Dec 14, 2017

I'm attaching my setup for node-red that runs under it's own user. UPDATED
Stop node-red service

service node-red stop

Next edit the /etc/systemd/system/node-red.service change the User=root to User=node-red

nano /etc/systemd/system/node-red.service

Description=Node-Red

[Service]
Type=simple
User=node-red
ExecStart=/usr/local/bin/node-red -u /mnt/dietpi_userdata/node-red

[Install]
WantedBy=multi-user.target

Created a user and group for node-red
addgroup --system --gid 155 node-red
adduser --system --home /mnt/dietpi_userdata/node-red --no-create-home --shell /bin/false --uid 155 --gid 155 node-redd

Give the user node-red the ability to write to the it directory

chmod ug+rwx -R  /mnt/dietpi_userdata/node-red
chown node-red:node-red -R  /mnt/dietpi_userdata/node-red

Since we have change the service run
systemctl daemon-reload

Then we start node-red service with
service node-red start

Now node-red is running under the node-red user

If you want node-red to run commands with sudo we run
echo "node-red ALL=NOPASSWD: ALL" >> /etc/sudoers
and add user node-red to the sudo group
adduser node-red sudo

NOTES:
I've updated this post to conform to *nix Standard and to confirm that using node-red as a system user and group now work out of the box.

@DarkElvenAngel
Copy link

@TerryE for your application you can try using the www-data user but I haven't tested that. I know this setup works been running for 8+ months

@TerryE
Copy link
Author

TerryE commented Dec 14, 2017

@DarkElvenAngel, as a general principle you should use separate service accounts for separate services. That way you have the option of using UID / GID-based access control to isolate web apps from Node RED ones, etc. Such dynamically allocated service accounts are usually allocated in the 100-499 range(1), not 55 as you have used. 😄

@DarkElvenAngel
Copy link

@TerryE I choose 55 because I need a static UID that is available on all nodes on the network. 55 is not used.

On FreeBSD, porters who need a UID for their package can pick a free one from the range 50 to 999 and then register the static allocation.

@TerryE
Copy link
Author

TerryE commented Dec 14, 2017

On FreeBSD, porters who need a UID for their package can pick a free one from the range 50 to ...

Sorry, I didn't realise that you used BSD, Even so, if you want this to apply this over other *nix platforms then it makes sense also to comply with the Linux Standard Base Core Specification.

@DarkElvenAngel
Copy link

DarkElvenAngel commented Dec 14, 2017

@TerryE so I will update to UID:gid 155:155 and that should satisfy all requirements, yes? I've update my setup post. Thanks for the insight.

@TerryE
Copy link
Author

TerryE commented Dec 16, 2017

@Fourdee perhaps you can unlock #1297 so I can respond in the correct issue. Re logs, the services still log to the RAMdisk /var/log hierarchy. Dietpi optionally preserves these statically prior to shutdown. The correct place to do this is in the /var/lib/dietpi hierarchy, though there is no reason why this shouldn't optionally be symlinked to a node in another FS.

@k-plan k-plan changed the title DietPi-Software | Run nodered under www-data DietPi-Software | Node-RED: Run under www-data Dec 22, 2017
@TerryE
Copy link
Author

TerryE commented Dec 28, 2017

@Fourdee Dan, BTW I think that the title is wrong: it should be Run nodered under its own service account. There are good reasons why this should be separate from www-data.

@DarkElvenAngel, you typically don't statically allocated service account UIDs. I created my version by

adduser --system --group --no-create-home --shell=/bin/nologin nodered

@Fourdee Fourdee changed the title DietPi-Software | Node-RED: Run under www-data DietPi-Software | Node-RED: Run under www-data/nodered? Dec 29, 2017
@Fourdee Fourdee changed the title DietPi-Software | Node-RED: Run under www-data/nodered? DietPi-Software | Node-RED: Run under nodered? Dec 29, 2017
Fourdee referenced this issue Dec 29, 2017
+ DietPi-Software | NodeRed: Corrected user which nodered runs under,
now runs as its own user, created during install:
https://github.com/Fourdee/DietPi/issues/1294#issuecomment-354314318
@Fourdee
Copy link
Collaborator

Fourdee commented Dec 29, 2017

NodeRed will run under user nodered in v160, thanks @TerryE 👍

Test install passed.
Completed.
image

@Fourdee Fourdee closed this as completed Dec 29, 2017
@Fourdee Fourdee mentioned this issue Jan 28, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants