Thoughts on NOPASSWD and disabling agent forwarding on publictest machines?
Mike McGrath
mmcgrath at redhat.com
Mon Aug 17 02:23:37 UTC 2009
On Sat, 15 Aug 2009, Ricky Zhou wrote:
> Hey, I've been thinking about sudo passwords (particularly on publictest
> machines, where security holes in apps being developed cant turn up from
> time to time).
>
> Could enabling NOPASSWD for sudo and disabling agent forwarding on
> publictest machines be a good option for lowering the possible impact if
> anything were to happen on the publictest machines?
>
> The specific situation that I'm thinking about right now is:
> * Command execution hole in some app in testing (this has happened)
> * Kernel bugs like the two that have shown up in the past month
> * People like me regularly entering their FAS password on publictest
> machines and having SSH agent forwarding enabled
>
> Maybe this is being too paranoid or not the best ultimate solution (Mike
> mentioned that he was looking into alternatives to entering sudo
> passwords, for example), but it does seem like a real risk given the
> freedom we allow for testing stuff out on the publictest machines.
>
I'm conflicted on this, there's valid points here but also the risks are
fairly low. As far as disabling agent forwarding, that's trivial to
re-enable if the box gets rooted.
Specifically we're trying to protect against a rooted publictest box
becoming a password harvester right?
-Mike
More information about the infrastructure
mailing list