Restrict access to file system via config

I run n8n through pm2
I set env variables in a config file for pm2 which then passes it down to n8n.

Let’s say I have a folder /ubuntu/home/n8n
with content

  • pm2.config.js
  • data/

I execute pm2 from within this folder. The Command Execution node has access to everything. It is a problem if someone is allowed to delete delete pm2.config.js.

One option is I could start pm2 as a different user with limited access. But this adds up to the server setup and is easy to miss. Ofcourse using docker solves this by keeping this in the docker file.
But it will be nice if there is a possibility to mount a file system location. This must be configurable via n8n rather than from the system.

Another solution I can think of is by default, each workflow creates it’s own folder and restricts the shell to that folder.

Honestly not sure if the access can be properly restricted on the n8n side. At least can not think of a proper way for the Execute Command node right now.

What n8n already offers is to deactivate some nodes:
https://docs.n8n.io/reference/configuration.html#exclude-nodes

Yes I had a look at that. We need to zip a file, so we first save a file on the system and then zip it in the next node(cmd/shell) passing the created file name.
I can think of sending the binary data to a different service but it seems like an overkill to just have a zipping service.

But yes makes sense, I was trying to think how can one easily do this and perhaps it too much to include under n8n’s domain.

Ah OK. If you really need this node then the most secure way would really be docker which I normally recommend anyway. The Execute Command node is very powerful but also dangerous. Even docker does not take all the risks away but still improves it by a lot.

1 Like

Yep, docker of course would solve these issues. Will move away from pm2 to docker soon. Thank you for your time. I’ll keep coming back to the community for a few days till we have a solid setup. And also hope to start contributing in a few days.
Cheers

Really amazing to hear and great to have you as part of the community!