Conversation
Notices
-
What you people thing about using sudo without password for automating purposes (like ansible)?
- Hallå Kitteh repeated this.
-
@drymer If it's an account that only runs ansible stuff, no interactive random stuff, sure. Better than running as root the whole time.
-
@drymer @clacke can't you choose on a user-per-user basis which commands they can sudo to? I'm pretty sure I did that once.
-
@camby Yes, but it's not about commands. What if every server has different passwords? Having to type them all it's a lot of effort. @clacke
-
@drymer @camby But it is about commands. If you enable passwordless sudo in general you have a bigger attack surface than if you put "I need to be root" operations into narrow, focused scripts which take no parameters or which validate their parameters, and then only allow to sudo into those scripts.
-
@clacke It's not that big. If someone is able to log in a server, it's pretty easy to install a keylogger that will capture the pswd. @camby
-
@drymer @camby Not talking about the password, talking about what you can do once you get your hands on that password, or get access to an account with passwordless sudo.
If all you can do as root is "enact the policy that was synced here from somewhere pre-defined" you're not going to be able to wreak much havoc.