ComfyUI icon indicating copy to clipboard operation
ComfyUI copied to clipboard
Published 1 month ago verified publisher icon comfyanonymous

Security Issue: when in multiple users, someone hijack my machine and starting miner app

Open MorrisLu-Taipei opened this issue 1 year ago • 4 comments

Please help to provide admin login / password I am teacher, providing my comfyui server url for our students. Now, my workaround solution is REMOVE ComfyUI-Manger, when provide server url to my students.

Because we also teach students to use comfyui url to study krita, so all students will know the comfyui web url without any login control.

suggestions

  1. provide api url only .
  2. provide login / password

Here someone install lolminer into our machine via comfyui manager I guess Uploading Clipboard01.png… image

MorrisLu-Taipei avatar May 12 '24 11:05 MorrisLu-Taipei

My friend said this feature is ready last week, https://github.com/liusida/ComfyUI-Login

Let try it.

MorrisLu-Taipei avatar May 12 '24 11:05 MorrisLu-Taipei

The manager is not meant to be used on shared ComfyUI installs, it lets anyone with access to the ComfyUI interface install and run anything in your instance.

I don't even recommend running a publicly accessible instance of the base ComfyUI.

comfyanonymous avatar May 13 '24 22:05 comfyanonymous

My friend said this feature is ready last week, https://github.com/liusida/ComfyUI-Login

Let try it.

Thank you for mentioning ComfyUI-Login!

My solution for sharing ComfyUI with others is to use Docker containers since Docker enhance security through isolation.

I have a host with a 4090 GPU, and I built a Docker image starting from pytorch/pytorch:2.2.2-cuda12.1-cudnn8-runtime, cloning the ComfyUI repo and some custom nodes automatically, including ComfyUI-Login. I use Docker Compose to manage all the containers.

I assigned each container (with different port numbers) to different users, who will log in and set their passwords. If I find any of the containers acting abnormally (like using a lot of GPU VRAM), I will ask that user what they have installed, and I may stop or reset their container to minimize the harm.

I haven't shared my Dockerfile and scripts on GitHub since they don't cover most situations, but they work fine for me. Let me know if you need them for reference.

liusida avatar May 14 '24 02:05 liusida

The manager is not meant to be used on shared ComfyUI installs, it lets anyone with access to the ComfyUI interface install and run anything in your instance.

I don't even recommend running a publicly accessible instance of the base ComfyUI.

Python doesn't even recommend running python as a public web-server, for that matter. They routinely pass on fixing critical https vulnerabilities because code separation doesn't exist between the various components to prevent hijacking / bypassing certs, and there's an ancient bug that allows using any python-based server as an open proxy that's marked WONTFIX.

Their other justification is that it's not the primary purpose of the language or even something it's very good at and they don't want to get tied up endlessly fixing the slew of networking vulnerabilities that show up daily when someone could just run nginx instead. The fastcgi module was either deprecated or removed recently for similar reasons.

NeedsMoar avatar May 21 '24 12:05 NeedsMoar