Passwordless sudo1/22/2024 ![]() So you could in theory run gpg-agent such that no user could ever get access to it's memory. You can completely neuter root access on login with no way to bypass the limit without a significant kernel vulnerability. Sudo, su - root, even suid binaries, cannot get the capability. Basically drop a capability, or set of capabilities, on login such that no subprocess can ever put the capability in the active set. I looked at SElinux and linux capabilities (break down of all privileges root has) to do the same thing, it ways years ago so things could have changed or I could be misremembering the details. In the past I've worked on trusted operating systems to make it so that ssh logins could not ever fully get access to root privileges, or a select subset of root privileges. Unless the old rainbow books b1 or b2 level systems (sort of EL5 LSPP under common criteria) are interesting to you this is going to get boring really quick. Or the location where the physical server resides is really secure. The unsaid assumption is you trust the VM or the hypervisor provider completely and that they are protecting access so an attacker cannot get in. It is supposed to be possible to even run gpg-agent whatever process is using the agent does not have access to any of the agent's memory. SElinux security contexts can limit what process have access to gpg-agent memory. is setup to use it.Įven risks of memory can be reduced, but NOT completely eliminated. Gpg-agent lock memory so it wont be written to swap, and keychain ensures you only have one gpg-agent running for whatever login/cron/etc. This, I believe is a good balance of ease of automation and security.Most cases I deal with data at rest is the concern, and using above that can be fully addressed to the cleartext only ever being in memory. Note that for simplicity, the playbook, imported task and passwords file all reside in the same directory. # Add a directory inside the root user's home for proof of concept # Point to the passwords file relative to where the playbook file resides ![]() Then import this task into any playbooks that require escalated privileges: - name: Playbook Name Save to a file separate from any playbooks, as this can be imported to all playbooks. Then create a task partial to import the sudo passwords as the ansible_become_pass fact. ~/my-ansible-project $ ln -s /path/to/vault/sudo_passwords.yamlīe sure to keep this file out of version control However, I just symlink, since my encrypted volume is only open when I need to do work. # Decrypt when you're using itĪnsible-vault decrypt sudo_passwords.yamlĪnsible-vault encrypt sudo_passwords.yamlįor this part, you will need the encryption password. You could also keep this file in the root of the ansible project itself, and use ansible-vault to encrypt/decrypt in place. I keep the raw secrets file as a plaintext file in an encrypted volume, then add a symlink to a file in the root of your ansible project. There are options where you can keep this file, but here is my strategy. You'd think that this would make automation difficult, having to enter a password each time, but this is where the ansible_become_pass host variable comes in useful.Ĭreate a yaml file somewhere and create a dictionary of hosts to sudo passwords: sudo_passwords: If a bad actor gains access to one of your servers and it's possible to sudo without a password, then they can also sudo su and become the root user.Īlways have a user password that is required to run escalated privileges
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |