On Sat, 15 Aug 2009, Ricky Zhou wrote: > Hey, I've been thinking about sudo passwords (particularly on publictest > machines, where security holes in apps being developed cant turn up from > time to time). > > Could enabling NOPASSWD for sudo and disabling agent forwarding on > publictest machines be a good option for lowering the possible impact if > anything were to happen on the publictest machines? > > The specific situation that I'm thinking about right now is: > * Command execution hole in some app in testing (this has happened) > * Kernel bugs like the two that have shown up in the past month > * People like me regularly entering their FAS password on publictest > machines and having SSH agent forwarding enabled > > Maybe this is being too paranoid or not the best ultimate solution (Mike > mentioned that he was looking into alternatives to entering sudo > passwords, for example), but it does seem like a real risk given the > freedom we allow for testing stuff out on the publictest machines. > I'm conflicted on this, there's valid points here but also the risks are fairly low. As far as disabling agent forwarding, that's trivial to re-enable if the box gets rooted. Specifically we're trying to protect against a rooted publictest box becoming a password harvester right? -Mike _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
