Thoughts on NOPASSWD and disabling agent forwarding on publictest machines?

Mike McGrath mmcgrath at
Mon Aug 17 02:23:37 UTC 2009

On Sat, 15 Aug 2009, Ricky Zhou wrote:

> Hey, I've been thinking about sudo passwords (particularly on publictest
> machines, where security holes in apps being developed cant turn up from
> time to time).
> Could enabling NOPASSWD for sudo and disabling agent forwarding on
> publictest machines be a good option for lowering the possible impact if
> anything were to happen on the publictest machines?
> The specific situation that I'm thinking about right now is:
>  * Command execution hole in some app in testing (this has happened)
>  * Kernel bugs like the two that have shown up in the past month
>  * People like me regularly entering their FAS password on publictest
>    machines and having SSH agent forwarding enabled
> Maybe this is being too paranoid or not the best ultimate solution (Mike
> mentioned that he was looking into alternatives to entering sudo
> passwords, for example), but it does seem like a real risk given the
> freedom we allow for testing stuff out on the publictest machines.

I'm conflicted on this, there's valid points here but also the risks are
fairly low.  As far as disabling agent forwarding, that's trivial to
re-enable if the box gets rooted.

Specifically we're trying to protect against a rooted publictest box
becoming a password harvester right?


More information about the Fedora-infrastructure-list mailing list