search

dyne / sup

a "small is beautiful" tool for UNIX privilege escalation
https://sup.dyne.org
GNU Lesser General Public License v3.0
58 stars 12 forks source link

Automation support #3

Open LucidOne opened 6 years ago

LucidOne commented 6 years ago

Apologies in advance for the feature requests. :disappointed: I'm not trying to turn sup into dzdo but I keep running into issues trying to automate sudo in a sane way.

If multiple sysadmins want to use the same set of (Ansible, Chef, whatever) scripts to administrate a set of servers, the options seem to be to be along the lines of 'ssh into the server as root' or worse.

Obviously, for logging purposes, it would be nice if sysadmins could login as themselves and not have to type in their password n times, potentially minutes apart.

It may be worth considering a passwordless means of privilege escalation such as gpg-agent or ssh-agent. https://medium.com/thomas-strohmeier/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740

Something like JSON Web Signatures might provide for generation of an escalation token specifying the program to be run with a timestamp. I wonder if this could be built as an "extension" to avoid complicating the sup codebase. I'll think about this more.

jaromil commented 5 years ago

Its a nice idea, but yes is bloat. I can relate well to the problem you point out.

I'm wondering, since a while now, to split sup in two different codebases: one suckless and one not.

@parazyd is already maintaining a properly suckless version of today's sup with less cruft.

Meanwhile, have you found a solution for your problem?