Password-less sudo too open and template doesn't allow enough permissions

vmstan / gravity-sync

💫 The easy way to synchronize the DNS configuration of two Pi-hole 5.x instances.

https://vmstan.com/gravity-sync/

GNU General Public License v3.0

2.29k stars 128 forks source link

Password-less sudo too open and template doesn't allow enough permissions #374

Closed reuc closed 2 months ago

reuc commented 1 year ago

Issue Description Install places a sudoers.d config file with the following permissions pi ALL=NOPASSWD: ALL

The template folder shows a sudoers.d of: pi ALL=NOPASSWD: /etc/pihole

However the sudoers config in the template folder fails when trying to push or pull from a remote system

Configuration Details

traxeon commented 6 months ago

I agree with this. I'd like the sudoer file to target only the commands that gravity-sync needs to execute. As an example: replace gs-nopasswd with this:

User_Alias GRAVITY = <myuser>

# command group: implicit allow for commmands
Cmnd_Alias GRAVCMDS = \
        /usr/bin/rsync *\
    /usr/local/bin/pihole *\
    /usr/bin/pihole-FTL *\
    /usr/local/bin/gravity-sync *

GRAVITY ALL = NOPASSWD: GRAVCMDS

... or better yet. specify the EXACT commands that need to run (e.g. replace the * with the command line options that run)

vmstan commented 2 months ago

Effective July 26, 2024, this project has been retired. Thank you for your use and enthusiasm for a project that began as a few lines of bash in a Slack channel and envolved into something far more complex, and used by many thousands of Pi-hole enthusiasts over the last four years.