search

intelligent-agent / Reflash

Flasher image for Refactor distro for use with Recore 3D printer board
GNU Affero General Public License v3.0
1 stars 0 forks source link

Remove root access on Reflash #50

Closed eliasbakken closed 1 month ago

eliasbakken commented 7 months ago

Reflash is meant as an intermediary server with the purpose of installing Refactor/Rebuild. Still, it should not be necessary to have ssh access enabled for root.

goeland86 commented 7 months ago

I don't remember if there's a non-root user account defined on the image though. Not a bad idea to do it, just don't remember what you setup on the Rebuild barebones.

eliasbakken commented 7 months ago

There is no non-user on Reflash, so we should add one. Perhaps something more obscure than 'debian'?

goeland86 commented 7 months ago

I mean... Reflash the "image" or Reflash the "tool"? If Reflash the app, then yes. For the image, it can still be the debian user, but we need a way to force-change the password before it begins to run.

obgr commented 7 months ago

Having Reflash running as a service user is good practice. I do however have the opinion that this user should be different from the user that is open for ssh.

May I propose two users?

eliasbakken commented 7 months ago

I agree with this. Which user is the service user and which is the ssh user?

obgr commented 7 months ago

Service user: reflash Used to run the service which is called reflash. In case the underlying webserver would be a somewhat standardized tool, i would call the service user nginx, haproxy, podman etc.

Regular user: debian I would keep it as close as default as possible for this user in order to keep it similar across all rebuild/refactor setups, and hopefully avoiding confusion. The default user is named different across distros and live environments, But if you look at AWS as an example, they name the default user after the running distro (debian, centos, ubuntu etc.) which makes the username debian somewhat standard.

goeland86 commented 7 months ago

Standard debian nomenclature for the web-server user is www-data usually.

debian for the login user makes sense.

eliasbakken commented 7 months ago

Yeah, maybe www-data is a good user for the web-server. I just read that it is the standard for Debian distros.

obgr commented 7 months ago

I agree. Even if its gunicorn, its still a web server.

eliasbakken commented 6 months ago

Reopening this, since the build is now happening in this repo