Privilege escalation mechanism
rollcat opened this issue · 0 comments
Currently the privilege escalation story is quite poor:
-
We can pretend we don't need to be another user on the remote machine (limits usefulness).
-
We can SSH in directly as root (bad idea, don't do this).
-
We can SSH in as a regular user that has password-less sudo/doas, and ask the user either to re-exec the script if UID is not 0, or prefix each privileged command with sudo/doas.
This is cumbersome, requires boilerplate, also not ideal if you prefer to have a sudo/doas password in interactive sessions (such as when you're managing a machine that also serves as a workstation).
Some people would argue this is equivalent to SSH'ing in directly as root, but at least with remote syslog or chflags+securelevel you can get an audit trail. So this is what we currently recommend.
Some bad ideas to improve upon this:
- We could pretend to be typing into the sudo password prompt, which sounds very brittle and probably can do a lot of harm. It also opens the question of storing the passwords securely on the controller.
- We could auto-install a setuid helper on the remote host, in some "bootstrap phase". This breaks the promise of not requiring any clientside components, so perhaps it can be opt-in. Probably should be a separate project. Also sounds like a rootkit.