Concern with Stanley System User with out Password and Giving Root Level Permission

[qsandeep]

ISSUE TYPE

• Other

STACKSTORM VERSION

2.6

OS / ENVIRONMENT / INSTALL METHOD

Custom Install

SUMMARY

We are setting up the Stackstorm for the first time on a Linux environment. Our Linux admins have concern with below step where the User Stanley is created with out password and it also gets ALL permission to the root. Our Linux Admins have stopped the installation and we need more justification or alternate method to continue.

Do you have any alternate way where we can have Stanley user with password and also give required permissions only ?

# Create an SSH system user (default `stanley` user may already exist)
sudo useradd stanley
sudo mkdir -p /home/stanley/.ssh
sudo chmod 0700 /home/stanley/.ssh

# Generate ssh keys
sudo ssh-keygen -f /home/stanley/.ssh/stanley_rsa -P ""

# Authorize key-based access
sudo sh -c 'cat /home/stanley/.ssh/stanley_rsa.pub >> /home/stanley/.ssh/authorized_keys'
sudo chown -R stanley:stanley /home/stanley/.ssh

# Enable passwordless sudo
sudo sh -c 'echo "stanley    ALL=(ALL)       NOPASSWD: SETENV: ALL" >> /etc/sudoers.d/st2'
sudo chmod 0440 /etc/sudoers.d/st2

# Make sure `Defaults requiretty` is disabled in `/etc/sudoers`
sudo sed -i -r "s/^Defaults\s+\+?requiretty/# Defaults +requiretty/g" /etc/sudoers

[arm4b]

You can skip paswordless sudo step if you org has concerns about using it. We've seen some other orgs doing the same.

But in general it's OK to configure paswordless sudo for stanley user if you expect StackStorm to be your orchestrator and run workflows/deployment/auto-remediation steps and other commands with elevated privileges.

By removing paswordless sudo you still can specify sudo password when running commands, see: https://docs.stackstorm.com/reference/runners.html#runner-parameters sudo and sudo_password runner parameters.

Hope that answers your question.