Title
Create new category
Edit page index title
Edit category
Edit link
Securing Bash Nodes
Introduction
This section provides an overview regarding security enhancement to enable more control of the bash nodes to the users and provide capabilities to restrict operations and file access.
So, with the aim to secure bash nodes, provide maximum flexibility, and adapt to specific requirements of various environments, three different security levels have been introduced in the bash nodes of workflows.
Security Level 0: No security
Security Level 1:
rbashSecurity Level 2:
chroot jail
Security Levels
NOTE Infoworks installation will be set up with security level 0 for a bash operator by default. Admin can change the security level after installation.
Security Level 0: No security
No security will be implemented for the bash operator. This will allow users to run commands on the edge node as the infoworks Linux user.
Security Level 1: rbash
A new Linux user will be set up and a home directory will be created for that user. From the bash node, the new user will only be able to access files from their home directory. Each operation (for example, mkdir/ls) on linux has an associated binary. Copying the binary enables the operation. Any operation outside this list will be blocked.
Run the following script to set up or change any configuration in security settings:
NOTE Run the above mentioned script if you are:
Switching security levels
Making any configuration changes in
bash_node.ini(for example, adding a new operation)
Features
This security level blocks user from:
Using the
cdcommandModifying the values of
$PATH,$SHELL,$BASH_ENV, or$ENVExecuting programs that contain a
/Redirecting output using
>,>|,<>,>&,&>, and>>Getting out of restricted mode within scripts
Turning off restricted mode
Any binary operation that is not recognized for the user
Benefits
Operation whitelist: We can specify which operations will be allowed to the user
Destructive operations like
mv,rmwill be blockedAdmin operations like
chown,lnwill be blockedUser cannot execute anything from ‘
/’
External file write block: User will be blocked from editing files owned by another user.
Security Level 2: chroot jail
A new user is created and a restricted context is set up automatically for them. All bash operations will be run in the context of a chroot jail. This will provide an isolation for the user from the rest of the edge node.
Run the following script to set up or change any configuration in security settings:
Features
This security level blocks:
Any binary operation that is not recognized for the user.
Access to any files outside the chroot jail.
Benefits
Operation whitelist: We can specify which operations will be allowed to the user
Isolation from the rest of the edge node: We can isolate the access of the user to a specific directory. They cannot access any files outside this directory
Highly Configurable: Most behavior in this paradigm is configurable: commands, files and directories accessible, device paths, libs.
NOTE In addition to above mentioned features and benefits, Security level 2 also provides all the features and benefits of Security Level 1.
Configuring Bash Security
NOTE By default, security level is set to 0, which means no additional security is enabled. To customize behavior, Admin must edit the configuration file.
To configure the Bash Security:
Step 1: Navigate to the following path.
Step 2: Edit the bash_node.ini file.
If you are using security level 0:
Set
security_level = 0for no security. Bash node will run as IW_USER on the edge node.
If you are using security level 1:
Set
security_level = 1for setting up security withrbash.You can configure the following fields:
username: Linux user name which will access bash node.password: Linux user password.whitelist: List of all binaries that user can execute for security level 1.
If you are using security level 2:
Set
security_level = 2for maximum security. This will setup a chroot jail and bash will run.You can configure the following fields:
username: Linux user name which will access bash node.password: Linux user password.whitelist: List of all binaries that user can execute for security level 2.mounts: List of directories to be mounted in jail to give real time access in security level 2iw_resources: List of directories to be copied in security level 2.system_libs: Any linux library to be copied to chroot jail in security level 2.devices: Device mounts to be added to chroot jail in security level 2.
Step 3: Run bash_user_setup.sh.
Managing Privileges
Infoworks provides ability to manage privileges available to the bash operators at different security levels.
Privileges | Security Level 2 | Security Level 1 | Security level 0 |
|---|---|---|---|
Remove Infoworks Directories | Blocked | Privileged | Privileged |
Read Infoworks conf file | Blocked | Privileged | Privileged |
Edit Infoworks conf file | Blocked | Blocked | Privileged |
Read Infoworks certificate files | Blocked | Privileged | Privileged |
Read files at system root / | Blocked | Privileged | Privileged |
Execute binaries from a directory not in PATH | Blocked | Blocked | Privileged |
Download using wget | Privileged | Privileged | Privileged |
Kill a process | Blocked | Blocked | Privileged |
Change ownership of some directory | Blocked | Blocked | Privileged |
User modifications (add new user/change user password) | Blocked | Blocked | Privileged |
Start, stop or status | Blocked | Blocked | Privileged |
The above mentioned vulnerabilities are default behaviors. Some of these can be configurable as per the requirements.
For more details, refer to our Knowledge Base and Best Practices!
For help, contact our support team!
© UNIPHORE TECHNOLOGIES 2025 | Confidential