strawman - make the agents not run as root
John Arbash Meinel
john at arbash-meinel.com
Tue Dec 17 14:34:10 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2013-12-17 18:23, Curtis Hovey-Canonical wrote:
>> On 2013-12-17 7:39, Tim Penhey wrote:
>>> Firstly there are the charms, they expect "apt-get install" to
>>> work, and if we change our user, it won't.
>
> We could add the juju user to sudoers on install?
>
> echo 'juju ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/91-juju chmod
> 0440 /etc/sudoers.d/91-juju
>
> This reduces the guilt/vulnerability while maintaining apt access.
> I suppose sudo breaks charm install hooks.
>
Right, so the transition plan could be that juju runs "sudo hook" for
everything, and then when charms can do it themselves it just runs
"hook" and those hooks then run "sudo do-stuff".
They still all need the ability to do root-level stuff, but it would
mean that they explicitly state in the charm what lines need it vs
which ones don't.
However, that is rewriting charms which is a non-trivial amount of
work even if we had jujud with sudo today.
John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKwYOIACgkQJdeBCYSNAANoKACfaOUOQ7XjMEX6oagBpPD2XWBu
vXwAoM7X/kFpK35ug62aQdo2CN4Z6ihB
=naa0
-----END PGP SIGNATURE-----
More information about the Juju-dev
mailing list