Sudo without password and unprotected rsa-keys

[ofstudio]

Hi!

Meteor-up is very helpful tool, but security reasons stops me to use it: unprotected sudo and unprotected RSA-key

1. AFAIK sudo access needs only once during new server setup: to install node, mongo, etc. It will be more like to ask sudo password in case if it actually needs than permanent unprotected sudo
2. Unprotected RSA key is a huge security leak I think. I have no idea about key protecting mechanism in different environments / operating systems (eg on OS X various apps can use RSA-key asking passphrase time to time) – so maybe it is difficult to implement. But unprotected private key is really-really bad.

[arunoda]

1) We use root only to bind to port 80. Then we use downgrade permission of the app. It's possible to change that anyway: https://github.com/arunoda/meteor-up/wiki/Using-Meteor-Up-with-NginX-vhosts#mupjson-environment-settings 2) We've no solution for this at the moment.

On Thu Feb 12 2015 at 1:45:05 PM Oleg Fomin notifications@github.com wrote:

Hi!

Meteor-up is very helpful tool, but security reasons stops me to use it: unprotected sudo and unprotected RSA-key

1.

AFAIK sudo access needs only once during new server setup: to install node, mongo, etc. It will be more like to ask sudo password in case if it actually needs than permanent unprotected sudo 2.

Unprotected RSA key is a huge security leak I think. I have no idea about key protecting mechanism in different environments / operating systems (eg on OS X various apps can use RSA-key asking passphrase time to time) – so maybe it is difficult to implement. But unprotected private key is really-really bad.

— Reply to this email directly or view it on GitHub https://github.com/arunoda/meteor-up/issues/261.