Follow

Hmm. people that know more than I do, I have a question.

I want to write a deployment script that will into my , pull from my git repo and then send some files around, but some of that requires sudo (like copying over an nginx config file).

What would be the best approach to having the script able to do everything it needs without me needing to harm the security of the VPS (by say removing the need for entering a password when using sudo)?

@OTheB I think the best way is to remove the need for password for specific commands/user I'm not sure how much you know about sudo configuration. But you can be very specific about what commands a user is able to run without a password...

<username> ALL=(ALL) NOPASSWD: "specific command(s) allowed comma seperated"

I know you said without removing password but this way you can be very granular about what commands can run...

@OTheB for example the command could be
cp /foo/bar /bar/foo
and that would only allow that specific copy operation...

@OTheB Are you up for learning Ansible? That exactly does what you need, and it's minimal setup on your VPS.

@oh_that_courtney Possibly, but I've now already fixed my problem by just creating an account and putting 3 lines in my sudoers file.

If I can avoid shoving stuff into my system then I will. I've got 1GB memory to work with and I'm already having problems with it, so the less stuff running on the server the better.

@oh_that_courtney Reading more into Ansible, it just looks like Salt or Puppet. All *way* too much for my single host with like 3 things running on it. Spinning up enough machines to get any worthwhile use of it would cost a fortune with no real-world gain.

I'll bear it in mind for stuff I do at work though as it might come in handy there.

@OTheB Ansible does not require anything on the server other than ssh access and python, which you already have.
In terms of security, I would be more concerned about preventing attackers from getting in in the first place rather than worrying about passwordless sudo: if they get in, you're screwed anyway.
Be sure to configure SSH to forbid SSH login as root and password authentication, allowing key-based authentication only.

@bloodyshell Huh, that actually sounds pretty good. Will definitely keep it in mind.

Sign in to participate in the conversation
Mastodon for Tech Folks

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!