Thoughts on NOPASSWD and disabling agent forwarding on publictest machines?
ricky at fedoraproject.org
Sun Aug 16 02:16:30 UTC 2009
Hey, I've been thinking about sudo passwords (particularly on publictest
machines, where security holes in apps being developed cant turn up from
time to time).
Could enabling NOPASSWD for sudo and disabling agent forwarding on
publictest machines be a good option for lowering the possible impact if
anything were to happen on the publictest machines?
The specific situation that I'm thinking about right now is:
* Command execution hole in some app in testing (this has happened)
* Kernel bugs like the two that have shown up in the past month
* People like me regularly entering their FAS password on publictest
machines and having SSH agent forwarding enabled
Maybe this is being too paranoid or not the best ultimate solution (Mike
mentioned that he was looking into alternatives to entering sudo
passwords, for example), but it does seem like a real risk given the
freedom we allow for testing stuff out on the publictest machines.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: not available
More information about the Fedora-infrastructure-list