Chirp!
  • Login
Chirp! is a GNU Social instance for the Cooley and Sekula families and their friends.

  • Public

    • Public
    • Network
    • Groups
    • Popular
    • People

Conversation

Notices

  1. drymer (drymer@quitter.se)'s status on Tuesday, 28-Feb-2017 08:34:01 UTC drymer drymer
    What you people thing about using sudo without password for automating purposes (like ansible)?
    In conversation Tuesday, 28-Feb-2017 08:34:01 UTC from quitter.se permalink
    • Hallå Kitteh repeated this.
    • Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 28-Feb-2017 08:36:52 UTC Hallå Kitteh Hallå Kitteh
      in reply to
      @drymer If it's an account that only runs ansible stuff, no interactive random stuff, sure. Better than running as root the whole time.
      In conversation Tuesday, 28-Feb-2017 08:36:52 UTC permalink
    • camby (camby@shitposter.club)'s status on Tuesday, 28-Feb-2017 08:40:38 UTC camby camby
      in reply to
      • Hallå Kitteh
      @drymer @clacke can't you choose on a user-per-user basis which commands they can sudo to? I'm pretty sure I did that once.
      In conversation Tuesday, 28-Feb-2017 08:40:38 UTC permalink
      Hallå Kitteh repeated this.
    • drymer (drymer@quitter.se)'s status on Tuesday, 28-Feb-2017 08:42:18 UTC drymer drymer
      in reply to
      • Hallå Kitteh
      • camby
      @camby Yes, but it's not about commands. What if every server has different passwords? Having to type them all it's a lot of effort. @clacke
      In conversation Tuesday, 28-Feb-2017 08:42:18 UTC permalink
      Hallå Kitteh repeated this.
    • Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 28-Feb-2017 12:35:35 UTC Hallå Kitteh Hallå Kitteh
      in reply to
      • camby
      @drymer @camby But it is about commands. If you enable passwordless sudo in general you have a bigger attack surface than if you put "I need to be root" operations into narrow, focused scripts which take no parameters or which validate their parameters, and then only allow to sudo into those scripts.
      In conversation Tuesday, 28-Feb-2017 12:35:35 UTC permalink
    • drymer (drymer@quitter.se)'s status on Tuesday, 28-Feb-2017 12:38:02 UTC drymer drymer
      in reply to
      • Hallå Kitteh
      • camby
      @clacke It's not that big. If someone is able to log in a server, it's pretty easy to install a keylogger that will capture the pswd. @camby
      In conversation Tuesday, 28-Feb-2017 12:38:02 UTC permalink
      Hallå Kitteh repeated this.
    • Hallå Kitteh (clacke@social.heldscal.la)'s status on Tuesday, 28-Feb-2017 12:40:11 UTC Hallå Kitteh Hallå Kitteh
      in reply to
      • camby
      @drymer @camby Not talking about the password, talking about what you can do once you get your hands on that password, or get access to an account with passwordless sudo.

      If all you can do as root is "enact the policy that was synced here from somewhere pre-defined" you're not going to be able to wreak much havoc.
      In conversation Tuesday, 28-Feb-2017 12:40:11 UTC permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • Privacy
  • Source
  • Version
  • Contact

Chirp! is a social network. It runs on GNU social, version 2.0.1-beta0, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All Chirp! content and data are available under the Creative Commons Attribution 3.0 license.