Re: Thoughts on NOPASSWD and disabling agent forwarding on publictest machines?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 15 Aug 2009, Ricky Zhou wrote:

> Hey, I've been thinking about sudo passwords (particularly on publictest
> machines, where security holes in apps being developed cant turn up from
> time to time).
>
> Could enabling NOPASSWD for sudo and disabling agent forwarding on
> publictest machines be a good option for lowering the possible impact if
> anything were to happen on the publictest machines?
>
> The specific situation that I'm thinking about right now is:
>  * Command execution hole in some app in testing (this has happened)
>  * Kernel bugs like the two that have shown up in the past month
>  * People like me regularly entering their FAS password on publictest
>    machines and having SSH agent forwarding enabled
>
> Maybe this is being too paranoid or not the best ultimate solution (Mike
> mentioned that he was looking into alternatives to entering sudo
> passwords, for example), but it does seem like a real risk given the
> freedom we allow for testing stuff out on the publictest machines.
>

I'm conflicted on this, there's valid points here but also the risks are
fairly low.  As far as disabling agent forwarding, that's trivial to
re-enable if the box gets rooted.

Specifically we're trying to protect against a rooted publictest box
becoming a password harvester right?

	-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux