Re: Tool for virtual networks

[Casey Deccio <casey () deccio net>]

> On Jul 15, 2022, at 8:25 AM, J. Hellenthal <jhellenthal () dataix net> wrote:
>
> For a quick cursory overview of this project, I would urge you to add an adendum or change the following line in the 
> installation documentation...
>
> "%sudo   ALL=(ALL:ALL) NOPASSWD: ALL"
>
> This is technically influencing bad behavior with sudo for those that are not aware of the security impacts of such 
> decisions.
>
> I'm not one to provide a negative remark usually without suggesting a result that provides a positive impact that can 
> be built upon. So with that said and along the lines of that id suggest adjusting the documentation to contain 
> something of the sorts of a guided only per user or separate group other than "%sudo"... maybe "%cougarnet" and add 
> instructions for creating the group and adding users to that group.
>
> Beyond that... nice project and thank you for your contribution to networking. This may be beyond the scope of just 
> this one mailing list and wish you the best.

Thanks so much for the feedback.  As noted, this is still a work-in-progress.  Now that I'm mostly past the 
proof-of-concept phase of development, and one of my near-term to-do items is to improve least privilege in the code.  
I think it does fairly well in other places, but the sudo access is still too liberal.  At the moment, the plan is to 
enumerate the commands used with sudo in the code and apply them to a group of which a user must be a part.  For 
example:

%cougarnet   ALL=(ALL:ALL) NOPASSWD: /usr/bin/ip, /usr/sbin/sysctl

But in the mean time (and generally) this should really only be used in a dedicated VM.  And the *primary* audience is 
my networks class--even though I shared with the broader networking community, in case others might find it useful or 
have feedback (thank you!).

Cheers,
Casey