From 652c174d7d8032aad7eff335a0cc5e56d0b647e7 Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Mon, 4 Mar 2024 18:33:15 +0800 Subject: [PATCH] fix(security): sudo password in remote deployment --- docs/best-practices/remote-deployment.md | 1 + docs/zh/best-practices/remote-deployment.md | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/best-practices/remote-deployment.md b/docs/best-practices/remote-deployment.md index 9ef29a1..1c86e56 100644 --- a/docs/best-practices/remote-deployment.md +++ b/docs/best-practices/remote-deployment.md @@ -17,6 +17,7 @@ Before embarking on remote deployment, a few preparatory steps are necessary: 1. To prevent remote host's sudo password verification failure, choose one of the following methods: 1. Deploy as the remote host's `root` user. 2. Add `security.sudo.wheelNeedsPassword = false;` to the remote host's configuration and manually deploy once in advance to grant the user passwordless sudo permissions.. + 1. **This will allow user-level programs to silently obtain sudo permissions, posing a security risk**! Therefore, if you choose this method, it's advisable to create a dedicated user for remote deployment, rather than using your regular user account! 2. Configure SSH public key authentication for the remote hosts. diff --git a/docs/zh/best-practices/remote-deployment.md b/docs/zh/best-practices/remote-deployment.md index f9a27bf..a2f547c 100644 --- a/docs/zh/best-practices/remote-deployment.md +++ b/docs/zh/best-practices/remote-deployment.md @@ -14,8 +14,9 @@ Nix 本身的设计就很适合远程部署,Nix 社区也有许多专门用于 在进行远程部署之前,需要做一些准备工作: 1. 为了防止远程主机的 sudo 密码验证失败,有两种方法,二选一: - 1. 以远程主机的 `root` 用户身份部署 + 1. 以远程主机的 `root` 用户身份部署,这是推荐使用的方法。 2. 在远程主机的配置中添加 `security.sudo.wheelNeedsPassword = false;` 并提前手动部署一次,从而为用户授予免密码验证的 sudo 权限。 + 1. **这会导致用户级别的程序能静默获取 sudo 权限,存在安全风险**!因此如果选用这种方法,建议远程部署创建一个专门的用户,不应该使用自己的常用用户! 2. 为远程主机配置 SSH 公钥身份验证。 建议使用 `root` 用户进行部署,因为这更方便且不需要额外的配置,没有令人头疼的 sudo 权限问题。