home
Naukri Code 360
expand-more
Library
expand-more
Database Management System
expand-more
NoSQL Databases
expand-more
Redis
expand-more
Manual
expand-more
ACL- Redis access control list
Table of contents
1.
Introduction
2.
Security model
2.1.
Network security
2.2.
Protected mode
2.3.
Authentication
2.4.
TLS support
2.5.
Disallowing specific commands
2.6.
Attacks triggered by malicious inputs from external clients
2.7.
String escaping and NoSQL injection
2.8.
Code security
3.
Redis access control list
4.
When ACLs are useful
5.
Configure ACLs with the ACL command
6.
ACL rules
6.1.
Enable and disallow users:
6.2.
Allow and disallow commands:
7.
Create and edit user ACLs with the ACL SETUSER command
8.
Command categories
9.
Allow/block subcommands
10.
Key permissions
11.
How passwords are stored internally
12.
FAQs
12.1.
How do I authenticate Redis?
12.2.
Is Redis secure?
12.3.
Where to find Redis config?
13.
Conclusion
Last Updated: Mar 27, 2024
Medium

ACL- Redis access control list

Author Alankrit Srivastava
0 upvote

Introduction

In this article, we will discuss security from the point of view of Redis. It goes through Redis' access control, code security problems, attacks that can be launched from the outside by picking malicious inputs, and other related subjects.

Security model

Redis is intended for use by trusted clients in trusted environments. Clients in the front-end (web side) of a web application that uses Redis as a database, cache, or messaging system will query Redis to generate pages or perform activities requested or triggered by the web application user.

In this situation, the web application mediates access between Redis and untrusted clients (the user browsers accessing the web application).

Untrusted access to Redis should always be mediated through a layer that implements ACLs, validates user input, and decides what actions to do on the Redis instance.

Network security

Everyone but trustworthy clients in the network should have access to the Redis port; hence the servers hosting Redis should be directly accessible only by the computers implementing the Redis application.

The Redis port should be firewalled to prohibit access from the outside in the typical case of a single computer directly exposed to the internet, such as a virtualized Linux instance (Linode, EC2,...) Redis will still be accessible via the loopback interface for clients.

It's worth noting that you can bind Redis to a single interface by adding the following line to the redis.conf file:

bind 127.0.0.1

Because of the nature of Redis, failing to protect the port from the outside can have a significant security impact. An external attacker might, for example, destroy the entire data set with a single FLUSHALL command.

Protected mode

Unfortunately, many users do not secure Redis instances against external network access. Many instances are just left online with public IP addresses. When Redis is run with the default configuration (binding all interfaces) and no password, it enters a special mode known as a protected mode. Redis only responds to queries from loopback interfaces in this mode, and clients connecting from other addresses receive an error message explaining the problem and how to configure Redis correctly.

We anticipate that the protected mode will significantly reduce the security risks associated with unprotected Redis instances that are run without proper administration.

However, the system administrator can ignore Redis' error and disable protected mode or manually bind all interfaces.

Authentication

While Redis does not attempt to provide Access Control, it does offer an optional layer of authentication that can be enabled by modifying the redis.conf file.

When the permission layer is enabled, unauthenticated clients will be denied access to Redis. By delivering the AUTH instruction followed by the password, a client can authenticate itself.

The password is set in clear text in the redis.conf file by the system administrator. It should be long enough to prevent brute force attacks for two reasons:

Redis responds to queries quickly. An external client can test a large number of passwords per second.

The password for Redis is saved in the redis.conf file and the client configuration. The password can be very long because the system administrator does not need to remember it.

The authentication layer's objective is to provide an optional layer of redundancy. An external client will still be unable to access the Redis instance without knowing the authentication password if firewalling or any other method established to protect Redis from external attackers fails.

Because the AUTH command, like all other Redis commands, is sent unencrypted, it is vulnerable to eavesdropping by an attacker with sufficient network access.

TLS support

TLS support is available for all communication channels in Redis, including client connections, replication links, and the Redis Cluster bus protocol.

Disallowing specific commands

It is possible to disable commands in Redis or rename them with an unguessable name, limiting typical clients to a limited number of instructions.

A managed Redis instance service, for example, could be offered by a virtualized server provider. In this case, normal users should generally not be able to change the instance's settings using the Redis CONFIG command, but systems that give and remove instances should be able to.

In this circumstance, it is possible to rename or shadow commands from the command table. A statement in the redis can access this feature.conf configuration file. For instance:

rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52

The CONFIG command was renamed to an unguessable name in the preceding example. It's also possible to make it (or any other command) utterly unusable by renaming it to the empty string, as in the following example:

rename-command CONFIG ""

Attacks triggered by malicious inputs from external clients

An attacker can launch a particular type of attack from the outside, even if they don't have access to the instance. An attacker could, for example, inject data into Redis that causes pathological (worst-case) algorithm complexity on data structures defined within Redis internals.

An attacker could use a web form to submit a series of strings that are known to hash to the same bucket in a hash table, causing the O(1) expected time (average time) to become the O(N) worst case. This may require more CPU than anticipated, resulting in a Denial of Service.

Redis uses a per-execution, pseudo-random seed, to the hash function to prevent this specific attack.

String escaping and NoSQL injection

Because the Redis protocol has no concept of string escaping, injection is impossible using a standard client library. The protocol is binary-safe and uses prefixed-length strings.

The EVAL and EVALSHA commands are also safe because the Lua scripts they execute obey the same rules.

While it may seem unusual, the application should avoid assembling the Lua script's body with strings obtained from untrustworthy sources.

Code security

Clients have complete access to the command set in a traditional Redis setup, but accessing the instance should never result in the ability to influence the system where Redis is executing.

To prevent buffer overflows, format problems, and other memory corruption issues, Redis employs all of the well-known techniques for building secure code. The ability to manage the server settings using the CONFIG command, on the other hand, allows the client to change the program's working directory and the name of the dump file. Clients can now write RDB Redis files to whatever directory they choose. This is a security vulnerability that could allow an attacker to compromise the system or run untrusted programs as the same user as Redis.

Redis access control list

The Redis ACL, or Access Control List, is a feature that restricts the commands that may be run and the keys that can be accessed for specific connections. It works like this: after connecting, a client must authenticate by providing a username and a valid password. If authentication is successful, the connection is associated with a specific user and their restrictions. Redis can be set up to automatically authenticate new connections with a "default" user (this is the default configuration). The ability to deliver only a subset of features to connections that are not explicitly authenticated is a side consequence of configuring the default user.

When ACLs are useful

Before you use ACLs, think about what you want to achieve by adding this layer of security. ACLs are typically used to achieve two primary objectives:

You wish to strengthen security by limiting access to commands and keys so that untrusted clients have no access to the database and trusted clients have only the bare minimum of access to accomplish the task required. Certain clients, for example, may only be able to execute read-only commands.

You want to improve operational safety so that processes or humans accessing Redis cannot destroy the data or configuration as a result of software or manual failures. A worker fetching delayed jobs from Redis, for example, has no reason to be able to use the FLUSHALL command.

Configure ACLs with the ACL command

ACLs are created using a DSL (domain-specific language) that specifies what a user is permitted to do. Such rules are usually applied from left to right, from first to last, because the order of the rules can sometimes be crucial to understanding what the user is capable of.

There is only one default user defined by default. To inspect the presently active ACLs and validate the settings of a freshly launched, defaults-configured Redis instance, we may use the ACL LIST command:

> ACL LIST
1) "user default on nopass ~* &* +@all"

The command above provides the list of users in the same format as the Redis configuration files by translating the current ACLs specified for the users back into their description.

ACL rules

The following is a list of valid ACL rules:

Enable and disallow users:

  • On: Enable the user; This user can be authenticated.
  • Off: Disallow the user; Authentication with this user is no longer possible; nevertheless, previously authenticated connections will continue to work. Note that, regardless of the default user setup, new connections will start as unauthenticated and will require the user to send AUTH or HELLO with the AUTH option to authenticate in some fashion.

Allow and disallow commands:

  • +: Add the command to the user's list of available commands. Allows subcommands when used with | (e.g., "+config|get").
  • -: Remove the command from the user's list of available commands. It can be used with | for blocking subcommands starting with Redis 7.0 (e.g. "-config|set").
  • +@: Add all the commands in that category to be called by the user, with correct types including @admin, @set, @sortedset, and so on; see the whole list using the ACL CAT command. The unique category @all refers to all commands, including those already on the server and those loaded via modules in the future.
  • -@: Similar to +@, but removes the commands from the client's command list.

Create and edit user ACLs with the ACL SETUSER command

There are two basic techniques to create and modify users:

  1. It was using the ACL command and its subcommand ACL SETUSER.
  2. Users can be defined in the server setup, and the server can be restarted. Call ACL LOAD with an external ACL file.

Command categories

A list of command categories and their meanings follows:

  • admin - Commands for administration. These will never be used in normal applications. REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, and other commands.
  • bitmap - Bitmaps are a data type.
  • blocking - The connection may be blocked until another command releases it.
  • command - Commands that affect the connection or other connections. AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, and other commands are included.
  • Instructions that are potentially risky (each should be considered with care for various reasons). FLUSHALL, MIGRATE, RESTORE, SORT, KEYS, CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, and more commands are included.
  • geo - Geospatial indexes related data type.
  • hash - Hash-related data type
  • hyperloglog - Hyperloglog-related data type.
  • O(1) instructions executed quickly. The number of arguments may be looped on, but not the number of elements in the key.
  • In a type-agnostic method, keyspace is written or read from keys, databases, or their metadata. DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE, KEYS, EXPIRE, TTL, FLUSHALL, and other commands. The write category applies to commands that edit the keyspace, key, or metadata. The read category applies to commands that solely read the keyspace, key, or metadata.
  • list - Data type: linked lists
  • pubsub - Commands related to PubSub.
  • reading - reading from a keyboard (values or metadata). Commands that do not interface with keys will not have read or write capabilities.
  • scripting - All things scripting.
  • set - Data type: related sets
  • sortedset - Sorted sets related data type.
  • sluggish - Any command that isn't quick.
  • stream - Data type for streams.
  • string - Data type for strings.
  • transaction - commands relating to WATCH, MULTI, and EXEC.
  • write - putting letters on keys (values or metadata).

Allow/block subcommands

Subcommands can now be allowed or banned in the same way other commands can (by using the separator | between the command and the subcommand, for example: +config|get or -config|set).

Except for DEBUG, this is true for all commands.

Key permissions

Key patterns can now describe how a command can touch a key starting with Redis 7.0. This is accomplished through the use of rules that establish necessary permissions. Percent () is the most essential authorization rules. Individual characters are defined as permissions that translate to the following key permissions:

  1. W (Write): The data inside the key can be updated or removed.
  2. R (Read): Data from the key supplied by the user is processed, copied, or returned. This does not provide metadata like size (like STRLEN), type (example TYPE), or if a value exists within a collection (example SISMEMBER).

Permissions can be combined by combining several characters.

How passwords are stored internally

Internally, Redis stores SHA256-hash passwords. You'll see a long hex string that seems pseudo random if you set a password and inspect the output of ACL LIST or ACL GETUSER. Because the large hex string was shortened in the preceding instances for brevity, here is an example:

> ACL GETUSER default
1) "flags"
2) 1) "on"
   2) "allkeys"
   3) "allcommands"
   4) "allchannels"
3) "passwords"
4) 1) "2d9c75273d72b32df726fb545c8a4edc719f0a95a6fd993950b10c474ad9c927"
5) "commands"
6) "+@all"
7) "keys"
8) "~*"
9) "channels"
10) "&*"
11) "selectors"
12) (empty array)

FAQs

How do I authenticate Redis?

The AUTH command in Redis is used to log in to the server using the provided password. The server responds with the OK status code and begins receiving instructions if the password matches the password in the configuration file. Otherwise, the client will receive an error and need to try a new password.

Is Redis secure?

Redis has low security, so it's essential to set up a firewall.

Where to find Redis config?

/redis/etc/redis.conf
installdir/redis/etc/redis.conf contains the Redis configuration file.

Conclusion

In this article, we have extensively discussed the ACL-Redis access control list and checked security from the point of view of Redis. It goes through Redis' access control, code security problems, and attacks that can be launched from the outside by picking malicious inputs.

We hope that this blog has helped you enhance your knowledge regarding the ACL- Redis access control list and if you would like to learn more, check out our articles here. Do upvote our blog to help other ninjas grow.

Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, JavaScript, System Design, etc. Enroll in our courses and refer to the mock test and problems available, interview puzzles. Also, look at the interview experiences and interview bundle for placement preparations. Please look at this YouTube tutorial to explore the preparation strategy for SDE placements.

Happy Learning!

Previous article
Security in Redis
Next article
TLS - Redis TLS support
Live masterclass
author
Top GenAI Skills to crack 30 LPA+ roles at Amazon & Google
by Sumit Shukla
02 Feb, 2026
03:00 PM
discord 34+ registered
author
Python + AI Skills to ace 30L+ CTC Data roles at Amazon
by Prerita Agarwal
01 Feb, 2026
06:30 AM
discord 536+ registered
author
Top 5 GenAI Projects to Crack 25 LPA+ Roles in 2026
by Shantanu Shubham
01 Feb, 2026
08:30 AM
discord 181+ registered
author
Zero to Data Analyst: Amazon Analyst Roadmap for 30L+ CTC
by Abhishek Soni
02 Feb, 2026
01:30 PM
discord 345+ registered
author
Top GenAI Skills to crack 30 LPA+ roles at Amazon & Google
by Sumit Shukla
02 Feb, 2026
03:00 PM
discord 34+ registered
author
Python + AI Skills to ace 30L+ CTC Data roles at Amazon
by Prerita Agarwal
01 Feb, 2026
06:30 AM
discord 536+ registered
View more events