nanog mailing list archives
Re: Tool for virtual networks
From: Tom Beecher <beecher () beecher cc>
Date: Mon, 18 Jul 2022 11:38:09 -0400
But in the mean time (and generally) this should really only be used in a dedicated VM. And the *primary* audience is my networks class--even though I shared with the broader networking community, in case others might find it useful or have feedback (thank you!).
It's a cardinal rule that anything built with a set of assumptions about the environment it operates in will inevitably be run in a different environment somewhere, someday. :) On Fri, Jul 15, 2022 at 11:09 AM Casey Deccio <casey () deccio net> wrote:
On Jul 15, 2022, at 8:25 AM, J. Hellenthal <jhellenthal () dataix net>wrote:For a quick cursory overview of this project, I would urge you to add anadendum or change the following line in the installation documentation..."%sudo ALL=(ALL:ALL) NOPASSWD: ALL" This is technically influencing bad behavior with sudo for those thatare not aware of the security impacts of such decisions.I'm not one to provide a negative remark usually without suggesting aresult that provides a positive impact that can be built upon. So with that said and along the lines of that id suggest adjusting the documentation to contain something of the sorts of a guided only per user or separate group other than "%sudo"... maybe "%cougarnet" and add instructions for creating the group and adding users to that group.Beyond that... nice project and thank you for your contribution tonetworking. This may be beyond the scope of just this one mailing list and wish you the best. Thanks so much for the feedback. As noted, this is still a work-in-progress. Now that I'm mostly past the proof-of-concept phase of development, and one of my near-term to-do items is to improve least privilege in the code. I think it does fairly well in other places, but the sudo access is still too liberal. At the moment, the plan is to enumerate the commands used with sudo in the code and apply them to a group of which a user must be a part. For example: %cougarnet ALL=(ALL:ALL) NOPASSWD: /usr/bin/ip, /usr/sbin/sysctl But in the mean time (and generally) this should really only be used in a dedicated VM. And the *primary* audience is my networks class--even though I shared with the broader networking community, in case others might find it useful or have feedback (thank you!). Cheers, Casey
Current thread:
- Tool for virtual networks Casey Deccio (Jul 14)
- Re: Tool for virtual networks J. Hellenthal via NANOG (Jul 15)
- Re: Tool for virtual networks Casey Deccio (Jul 15)
- Re: Tool for virtual networks Tom Beecher (Jul 18)
- Re: Tool for virtual networks J. Hellenthal via NANOG (Jul 18)
- Re: Tool for virtual networks Casey Deccio (Jul 30)
- Re: Tool for virtual networks Casey Deccio (Jul 15)
- Re: Tool for virtual networks Saku Ytti (Jul 15)
- Re: Tool for virtual networks Grant Taylor via NANOG (Jul 15)
- Re: Tool for virtual networks Saku Ytti (Jul 16)
- Re: Tool for virtual networks Tom Beecher (Jul 18)
- Re: Tool for virtual networks Saku Ytti (Jul 18)
- Re: Tool for virtual networks J. Hellenthal via NANOG (Jul 15)