seven1m / onebody

private member portal for churches, built with Ruby on Rails
GNU Affero General Public License v3.0
1.4k stars 284 forks source link

security risk #700

Closed masukomi closed 6 years ago

masukomi commented 6 years ago

in your app.yml it says

sudo: ['ALL=(ALL) NOPASSWD:ALL']

if that is actually editing the sudoers file then i think you've opened up a huge security hole in that anyone can now become root without needing a password.

seven1m commented 6 years ago

I think it might be possible to reduce that. I’ll see what I can do.

To be clear though, a user would still need to log into the machine. The installer assumes you are not creating other users on your Digital Ocean vps instance.