First of all thank you very much for this awesome software. For me it is the best OpenSource software developed in this area in the last years. The extension with own nodes is easy and it is fun to work with n8n. It raises the productivity level enormously
I am using the official Docker image of n8n and have the problem that the user of a workflow can read configuration files like /etc/passwd using the Binary Reader node. I realize that it is “only” a Docker container. However, the problem exists to the same extent on a VM when I run the software as root user. On the VM, I can set up an unprivileged user and run n8n with pm2. It would be nice to have n8n processes running in the Docker container with an unprivileged container as well. And yes, I could create my own Docker image - but maybe I’m just the lazy programmer
Using the Exec node, I can also read all the environment variables and thus have the ability to read the MySQL credentials and use them using the MySQL node and read tables. The N8N_ENCRYPTION_KEY key is also readable. A clever attacker would be able to decrypt the credentials and would have all the secrets of various SaaS providers in his hand or he could just delete or truncate the table via workflow. An .env file can also be read. In the case of using a VM, this could possibly be done through appropriate file system permissions.In case of a Docker container, you will be able to solve the container secrets via Hashicorp Vault or via Kubernetes secrets.
I know you can disable nodes, but to run Ansible or Terraform for example, you need either corresponding Ansible or Terraform nodes if you disable the Exec node.
I’m thinking of just disabling the UI in production and handling everything through the REST API, which could be secured using a proxy. RBAC integration of the UI would be nice, but would certainly require a bunch of effort. If working alone with n8n, BaseAuth is certainly not a problem, but enterprise customers will certainly expect integration with their AD, LDAP or whatever to authorize and authenticate users appropriately.
And yes, I read the security section in the doc
My request: provide a Docker image that you can run with an unprivileged user if needed. You can find something similar with Nginx.
My question: How do you deal with these security issues?
Thank you very much for the thoughtful input into the security around n8n. You mentioned a number of very interesting and relevant topics.
I guess the first item at hand is the security levels of the default Docker image. The purpose of this image is not to provide an instant out of the box solution. Rather, it is designed to lower the barrier to entry for people to run, test and experiment with n8n. It is by no means intented to be a secure system.
You also bring up a valid point about how n8n could be used in an inappropriate manner. But, just like any technology, n8n is adiaphorous (neither good or bad). Just like I can use a hammer to build a homeless shelter or to bash in someone’s skull, n8n is susceptible to the whims of the user. n8n cannot ensure/enforce the ethics of the user. Regardless of how secure anyone makes a device or service, it is still open to being used for nefarious purposes for someone who is suitably skilled and motivated.
But, it definitely has the potential to be run as a very secure service when installed and secured properly. The wonderful part about software like n8n is that you do not need to wait for a very busy development team to eventually get around to working on what you are looking for.
n8n has a very active community who would benefit from and contribute to an n8n security tutorial/guide. It sounds like you have the experience and background to make a significant contribution to such a guide. Several community members have contributed unofficial tutorials here in the community or even in the official n8n documentation.
Let me know if you would like some help with getting some of these resources going.
And to the rest of the community, if you have the time and experience to help build a Docker image to Tom’s specs, let us know and we will make sure that we get that image distributed to the rest of the community.
I will setting up N8N in our lab, securing it and running various tests. Unfortunately, according to the documentation, a PM2 installation is not supported by N8N. For that reason I will build it with Linux systemd and if I find the time I will do a stress test. I will report about my test.
If I will find the time to write a full documentation, I have to see. But I am currently fully occupied with my work.
Also, I want to look at securing the WebHooks and UI with OpenID Connect. We use Keycloak, but any other OpenID Connect provider should work. Maybe you can secure the system so that N8N provides certain roles and permissions. I see such roles as “Can read Executions”, “Can [create | edit | delete] Workflow”, “Can update Settings” and so on… That would be a way to separate the development of workflows from the N8N operation without turning off the UI.
Furthermore it would be desirable, if you call another workflow from a workflow, that you could call it not by the ID but by the name. This would allow workflows to be developed in the development department, tested / deployed on the N8N test and prod systems via a “normal” DevOps process. With this you can version the workflows and if the API allows it you can automatically deploy a workflow to different systems.