Thoughts on NOPASSWD and disabling agent forwarding on publictest machines?

Mike McGrath mmcgrath at redhat.com
Mon Aug 17 02:23:37 UTC 2009


On Sat, 15 Aug 2009, Ricky Zhou wrote:

> Hey, I've been thinking about sudo passwords (particularly on publictest
> machines, where security holes in apps being developed cant turn up from
> time to time).
>
> Could enabling NOPASSWD for sudo and disabling agent forwarding on
> publictest machines be a good option for lowering the possible impact if
> anything were to happen on the publictest machines?
>
> The specific situation that I'm thinking about right now is:
>  * Command execution hole in some app in testing (this has happened)
>  * Kernel bugs like the two that have shown up in the past month
>  * People like me regularly entering their FAS password on publictest
>    machines and having SSH agent forwarding enabled
>
> Maybe this is being too paranoid or not the best ultimate solution (Mike
> mentioned that he was looking into alternatives to entering sudo
> passwords, for example), but it does seem like a real risk given the
> freedom we allow for testing stuff out on the publictest machines.
>

I'm conflicted on this, there's valid points here but also the risks are
fairly low.  As far as disabling agent forwarding, that's trivial to
re-enable if the box gets rooted.

Specifically we're trying to protect against a rooted publictest box
becoming a password harvester right?

	-Mike




More information about the infrastructure mailing list