Tool for virtual networks

Fri Jul 15 15:07:41 UTC 2022

> On Jul 15, 2022, at 8:25 AM, J. Hellenthal <jhellenthal at dataix.net> wrote:
> 
> For a quick cursory overview of this project, I would urge you to add an adendum or change the following line in the installation documentation...
> 
> "%sudo   ALL=(ALL:ALL) NOPASSWD: ALL"
> 
> This is technically influencing bad behavior with sudo for those that are not aware of the security impacts of such decisions.
> 
> I'm not one to provide a negative remark usually without suggesting a result that provides a positive impact that can be built upon. So with that said and along the lines of that id suggest adjusting the documentation to contain something of the sorts of a guided only per user or separate group other than "%sudo"... maybe "%cougarnet" and add instructions for creating the group and adding users to that group.
> 
> Beyond that... nice project and thank you for your contribution to networking. This may be beyond the scope of just this one mailing list and wish you the best.

Thanks so much for the feedback.  As noted, this is still a work-in-progress.  Now that I'm mostly past the proof-of-concept phase of development, and one of my near-term to-do items is to improve least privilege in the code.  I think it does fairly well in other places, but the sudo access is still too liberal.  At the moment, the plan is to enumerate the commands used with sudo in the code and apply them to a group of which a user must be a part.  For example:

%cougarnet   ALL=(ALL:ALL) NOPASSWD: /usr/bin/ip, /usr/sbin/sysctl

But in the mean time (and generally) this should really only be used in a dedicated VM.  And the *primary* audience is my networks class--even though I shared with the broader networking community, in case others might find it useful or have feedback (thank you!).

Cheers,
Casey