How to block dangerous bash commands like RM as root?
Closed this issue · 6 comments
Summary
how to prevent dangerous commands as root ?
Steps to reproduce the problem
- create a schedule
- use shell plugin
- so a rm -rf /path
Your Setup
hosted on AWS. uses nginx as reverse proxy with single chronicle master instance
Operating system and version?
Linux 2023
Node.js version?
18.18.0
Cronicle software version?
0.9.61
Are you using a multi-server setup, or just a single server?
Single
Are you using the filesystem as back-end storage, or S3/Couchbase?
local filesystem
Can you reproduce the crash consistently?
yes
Log Excerpts
Use the permission system to prevent users from creating/editing events, unless you want to give them that power.
You can also remove the Shell Plugin from the system if it is too powerful for your needs.
Hi, thanks for the reply. you cannot do something like a text validator? like if detected rm or /usr/bin/rm it will give a notice/error?
or maybe the admin permission will have shell plugin but the rest of the permission doesnt?
oh wait.. io found this in the plugin.. i can set the UID/GID. which means people cannot mess around areas that are root only. I think this will work.. will test it later
ok i set the UID/GID to the local non root user. (1002/1002) and provided the home directory of that said user. but the task is failing when i set a cron to delete something in the /tmp folder
Job ID: jm3gg2d321f
Event Title: test LS
Hostname: ip-10-10-1-160.us-west-1.compute.internal
Date/Time: 2024/11/13 22:20:00 (GMT+0)
Job failed at 2024/11/13 22:20:00 (GMT+0).
Error: Child spawn error: bin/shell-plugin.js: Child process failed to spawn (Check executable location and permissions?)
End of log
Change the Shell Plugin executable location to absolute, instead of a relative position:
Change this:
bin/shell-plugin.js
To this:
/opt/cronicle/bin/shell-plugin.js
thanks.. but i manage to just add the non privilege user in the plugin settings. thanks. will close this issue