-
-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[enhancement]: add option to prevent setcap on node #2564
Comments
In addition please clearly document WHY setcap is used and wht privilegdes are assigne to node. As the main node image gets raised priviledges every script executed by any user get elevated priviledges. so - if i'm correct - node myscript.js is running mit more priviledges than at a standard installation. This could create security concerns if the system is not dedicated to ioBroker. So this should be clearly documented if it cannot be avoided at all. |
Regarding readme it may be better in installer repo as it is generally set there and just reset after upgrades in controller. We could prevent it by an env var if this is desirable in controller. Was there a discussion about the topic which I missed? |
The primary discussion was at telegram starters channel. A remote dev-server installation wasvnot functional as js-controller was not found. NODE_PATH was set correctly bit was ignored by node due tovsetcap. There heve been at least two user effected. Dev-server --link might help. But the fact that NODE_PARH is ignored was surprising. The second part about raising privs fpr all users has been added by me. Its a personal security concern. I do not know what security chanfges are applied in detail (and why). I cannot remember that I have been informed during installation too. In general its completly ok if a software adds priviledges for its own ecosystem during installation. Elevating node enables elevated privs for all users if I'm correct. Users should be informed to know security related effects. And again,it depends on the detailed caps added. |
Thanks for clarification. If dev-server link helps it is probably the more straightforward solution compared to using an Env Variable to prevent setting the capabilities. As mentioned regarding install information and documentation I would see it in https://github.com/ioBroker/ioBroker |
OK thanks for Info what capabilities are used. Security riscs seem to be minimal. Maybe we could add some sort of warning to installation procedure so that users must accept the fact that some network related capabilities are set systemwide ? I suggest that you discuss that a code team. I think that every user will accept - most of them would accept if you request to store the root password in a public readable file named 'root_password' too :-). But if there's such an information, we could avoid that anyone later states, that ioBroker unexpectedly opens secuirty holes and does not document this. Think we do not need any such statement anywhere. Maybe this info should be logged during upgrades and iob fix too. Releated to NODE_PATH maybe dev-server or dev-server setup could check capabilites and outputput a warnning / error. If linking works, then we could drop NODE_PATH. But I do not know whether linking will work at windows and mac too. (But thats more an issue for dev-server). |
I would support adding a "IOBROKER_NO_SETCAP" env variable or such |
No existing issues.
Description
Add some way to prevent iobroker from trying to setcap on the node binary.
Why?
Setcap on node prevents that the NODE_PATH variable can be used, because node ignores it, if any capabilities are set.
The NODE_PATH variable is useful during development. It can be used to start adapters from outside of the iobroker node_modules folder (for example in a dev-server setup, to start the adapter directly from the repository files).
How?
Probably a commandline option or some kind of persistent configuration (system.config?) is sufficient.
The text was updated successfully, but these errors were encountered: