Same thing for allowing specific sudo-commands. Many tools (like vim or the tools mentioned in the article) would have the same problem when allowing them to be run with root privileges.
Now I feel a bit more justified for over-engineering my automatic restic backup to not run as root, but to instead use "capabilities" to read files it doesn't own.
Namely, CAP_DAC_READ_SEARCH [0] and related systemd settings. The only problem is that it inhibits using a convenience/wrapper script.
Some at work want to let me run sudo vim only to edit my hosts file. This is silly for a variety of reasons, one of them being that vim can allow the user to exec arbitrary commands. If you give me root for vim, just save me the trouble and let me have unrestricted root so I can do my job.
I had the same few years ago. When I pointed out that I can get full root with most of the whitelisted commands they answered "We know. It's not about security but to prevent lusers from accidentally rm -rf /* the server. Feel free to spawn a root shell. You obviously know what you do"
I deal with some regulated things and some users who usually wouldnt be allowed to see/work on a thing are granted special access to do so, with extreme limitations. Recently i was approached asking if we could strip down the users desktops to no gui, no sudo, for use as a jumpbox. I explained why users need sudo to do what they need, and was asked about limiting sudo.
Its really tough to tell someone who is all about security (not linux security but regulatory security and such) that basically granting any bit of sudo access can lead to full access.
There is a way that this can be handled, but its honestly sort of an afterthought functionality. facls. You can delegate multiple owners/groups and permissions for things, and it can work well, but you have to deal with facls on multiple fronts, setting them for basically the entire system. facls are great, in theory, but they feel like such an afterthought that they are often ignored.
You could provide decently meaningful and targeted sandboxing using mount namespaces and an overlay FS, while retaining sudo privileges for what you need to do.
Yeah, and then it probably isn't the developers job to fix that but rather the DevOps engineer's one.
Also saying "the developer has to fix this" is something we tried to abolish when talking about DevOps. What about shared responsibility? Bridging the knowledge gap.
Sure. But the malaise of smug people taking decisions that are outside of the scope of the software is creeping into linux too. It is up to me decide what is secure, not them.
AFAIK because "act", the tool to run github actions locally, was there and there was no need to create something else. Also makes it easier for people to switch from github.
Well, yes. In this project where I needed to do this, we thought about removing the pipeline completely and replace it with something custom made. But as always: gitlab worked and there was no immediate need to replace it.
I'm also European and don't get these olympic swimming pool or whatever comparisons. I'd have to look up how many m3 of water they contain or what's the length/depth in meters are to make sense of it.
Newspapers in my country don't make these silly comparisons.
But yeah, to be fair, when hearing about Starship I had to look up our TV tower height to identify whether Starship is taller or not. It disappointed me that it's not.
Yeah, height is easier to grasp when correlating in terms of x story apartment buildings.
When using football fields as a unit of length you should use American football fields rather than soccer fields because American football field sizes are more standardized.
For American football professional, college, and high school games are all played on the same sized field, which is 100 years long.
Compare to soccer, where they can even have different sized fields in the same professional league. The English Premier League wants to standardize on 105 m x 68 m but several clubs are still using other sizes: Brentford (105 x 65), Chelsea (103 x 67), Crystal Palace (100 x 67), Everton (103 x 70), Fullham (100 x 65), Liverpool (101 x 68), and Nottingham Forest (105 x 70).
For international play FIFA has a standard, but it is a range: 100-110 m x 64-70 m.
There are parts of a soccer field that are precisely specified and so could be used as a standard of length.
Some examples are the radius of the circle around the center mark (9.144 m), the penalty area (40.23 x 16.46 m), distance from penalty mark to goal (10.97 m), goal area (18.29 m x 5.47 m), distance between goal posts (7.32 m), and the height of the crossbar (2.44 m).
The reason none of them are nice integers is that they were actually originally standardized in Imperial units. In those the aforementioned measurements are 10 yards, 44 yards x 18 yards, 12 yards, 20 yards x 6 yards, 8 yards, and 8 feet, respectively.
I don't know the first thing about football, only that it has the words "foot" and "ball", none of which apply to the American variant who is played with hands and a (geometric) lemon[1] :p
I figured FIFA/UEFA who both standardised on 105m, sensibly factored ±5m to account for Heisenberg uncertainty when approaching relativistic speeds. This is very well depicted - complete with curvature of space, train paradox, spooky action at a distance, time dilation, and other relativistic oddities - in a documentary I watched when I was young; if only I could recall the original name...
reply