How to block dangerous bash commands like RM as root?

[ctcarino]

Summary

how to prevent dangerous commands as root ?

Steps to reproduce the problem

1. create a schedule
2. use shell plugin
3. so a rm -rf /path

Your Setup

hosted on AWS. uses nginx as reverse proxy with single chronicle master instance

Operating system and version?

Linux 2023

Node.js version?

18.18.0

Cronicle software version?

0.9.61

Are you using a multi-server setup, or just a single server?

Single

Are you using the filesystem as back-end storage, or S3/Couchbase?

local filesystem

Can you reproduce the crash consistently?

yes

Log Excerpts

[jhuckaby]

Use the permission system to prevent users from creating/editing events, unless you want to give them that power.

You can also remove the Shell Plugin from the system if it is too powerful for your needs.

[ctcarino]

@jhuckaby

Hi, thanks for the reply. you cannot do something like a text validator? like if detected rm or /usr/bin/rm it will give a notice/error?
or maybe the admin permission will have shell plugin but the rest of the permission doesnt?

[ctcarino]

@jhuckaby

oh wait.. io found this in the plugin.. i can set the UID/GID. which means people cannot mess around areas that are root only. I think this will work.. will test it later

[ctcarino]

ok i set the UID/GID to the local non root user. (1002/1002) and provided the home directory of that said user. but the task is failing when i set a cron to delete something in the /tmp folder

---

Job ID: jm3gg2d321f
Event Title: test LS
Hostname: ip-10-10-1-160.us-west-1.compute.internal
Date/Time: 2024/11/13 22:20:00 (GMT+0)

Job failed at 2024/11/13 22:20:00 (GMT+0).
Error: Child spawn error: bin/shell-plugin.js: Child process failed to spawn (Check executable location and permissions?)
End of log

[jhuckaby]

Change the Shell Plugin executable location to absolute, instead of a relative position:

Change this:

bin/shell-plugin.js

To this:

/opt/cronicle/bin/shell-plugin.js