> > But in the mean time (and generally) this should really only be used in a > dedicated VM. And the *primary* audience is my networks class--even though > I shared with the broader networking community, in case others might find > it useful or have feedback (thank you!). >
It's a cardinal rule that anything built with a set of assumptions about the environment it operates in will inevitably be run in a different environment somewhere, someday. :) On Fri, Jul 15, 2022 at 11:09 AM Casey Deccio <ca...@deccio.net> wrote: > > On Jul 15, 2022, at 8:25 AM, J. Hellenthal <jhellent...@dataix.net> > wrote: > > > > For a quick cursory overview of this project, I would urge you to add an > adendum or change the following line in the installation documentation... > > > > "%sudo ALL=(ALL:ALL) NOPASSWD: ALL" > > > > This is technically influencing bad behavior with sudo for those that > are not aware of the security impacts of such decisions. > > > > I'm not one to provide a negative remark usually without suggesting a > result that provides a positive impact that can be built upon. So with that > said and along the lines of that id suggest adjusting the documentation to > contain something of the sorts of a guided only per user or separate group > other than "%sudo"... maybe "%cougarnet" and add instructions for creating > the group and adding users to that group. > > > > Beyond that... nice project and thank you for your contribution to > networking. This may be beyond the scope of just this one mailing list and > wish you the best. > > Thanks so much for the feedback. As noted, this is still a > work-in-progress. Now that I'm mostly past the proof-of-concept phase of > development, and one of my near-term to-do items is to improve least > privilege in the code. I think it does fairly well in other places, but > the sudo access is still too liberal. At the moment, the plan is to > enumerate the commands used with sudo in the code and apply them to a group > of which a user must be a part. For example: > > %cougarnet ALL=(ALL:ALL) NOPASSWD: /usr/bin/ip, /usr/sbin/sysctl > > But in the mean time (and generally) this should really only be used in a > dedicated VM. And the *primary* audience is my networks class--even though > I shared with the broader networking community, in case others might find > it useful or have feedback (thank you!). > > Cheers, > Casey
