Tool for virtual networks

Tom Beecher beecher at beecher.cc
Mon Jul 18 15:38:09 UTC 2022 

>
> But in the mean time (and generally) this should really only be used in a
> dedicated VM.  And the *primary* audience is my networks class--even though
> I shared with the broader networking community, in case others might find
> it useful or have feedback (thank you!).
>

It's a cardinal rule that anything built with a set of assumptions about
the environment it operates in will inevitably be run in a different
environment somewhere, someday. :)

On Fri, Jul 15, 2022 at 11:09 AM Casey Deccio <casey at deccio.net> wrote:

> > On Jul 15, 2022, at 8:25 AM, J. Hellenthal <jhellenthal at dataix.net>
> wrote:
> >
> > For a quick cursory overview of this project, I would urge you to add an
> adendum or change the following line in the installation documentation...
> >
> > "%sudo   ALL=(ALL:ALL) NOPASSWD: ALL"
> >
> > This is technically influencing bad behavior with sudo for those that
> are not aware of the security impacts of such decisions.
> >
> > I'm not one to provide a negative remark usually without suggesting a
> result that provides a positive impact that can be built upon. So with that
> said and along the lines of that id suggest adjusting the documentation to
> contain something of the sorts of a guided only per user or separate group
> other than "%sudo"... maybe "%cougarnet" and add instructions for creating
> the group and adding users to that group.
> >
> > Beyond that... nice project and thank you for your contribution to
> networking. This may be beyond the scope of just this one mailing list and
> wish you the best.
>
> Thanks so much for the feedback.  As noted, this is still a
> work-in-progress.  Now that I'm mostly past the proof-of-concept phase of
> development, and one of my near-term to-do items is to improve least
> privilege in the code.  I think it does fairly well in other places, but
> the sudo access is still too liberal.  At the moment, the plan is to
> enumerate the commands used with sudo in the code and apply them to a group
> of which a user must be a part.  For example:
>
> %cougarnet   ALL=(ALL:ALL) NOPASSWD: /usr/bin/ip, /usr/sbin/sysctl
>
> But in the mean time (and generally) this should really only be used in a
> dedicated VM.  And the *primary* audience is my networks class--even though
> I shared with the broader networking community, in case others might find
> it useful or have feedback (thank you!).
>
> Cheers,
> Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220718/464b85b0/attachment.html>

More information about the NANOG mailing list