I run n8n through pm2
I set env variables in a config file for pm2 which then passes it down to n8n.
Let’s say I have a folder /ubuntu/home/n8n
I execute pm2 from within this folder. The Command Execution node has access to everything. It is a problem if someone is allowed to delete delete pm2.config.js.
One option is I could start pm2 as a different user with limited access. But this adds up to the server setup and is easy to miss. Ofcourse using docker solves this by keeping this in the docker file.
But it will be nice if there is a possibility to mount a file system location. This must be configurable via n8n rather than from the system.
Another solution I can think of is by default, each workflow creates it’s own folder and restricts the shell to that folder.