Timothee Ravier from Red Hat, the mayor of projects Fedora Silverblue and Fedora Kinoite, suggested a way to move from the use of a SUDO utility using SUID-bit to increase privileges. Instead of SUDO, to fulfill the ROOT commands with a regular user, it is proposed to use the SSH utility with a local connection to the same system via UNIX-School and checking the SSH-based powers.
The use of SSH instead of Sudo allows you to get rid of SUID programs in the system and organize the performance of privileged commands in the hosting of distributions using container insulation of components such as Fedora Silverblue, Fedora Kinoite, Fedora Sericea and Fedora Onyx. In order to restrict access, confirmation of powers using USB-Taken (for example, Yubikey) can be additionally involved.
An example of setting up the Openssh server components for access through the local Unix-School (a separate SSHD copy will be launched with your configuration file):
/etc/Systemd/system/sshd-unix.socket: |
---|
[unit] description = OpenSSH SERVER UNIX SOCKET Documentation = Man: SSHD (8) ManHD_CONFIG (5) [SOCKET] LISTRENSTREAM =/run /SSHD.SOCK Accept = YES [Install] WANTEDBY = SOCKETS.TARGET |
/etC/SySTEMD/SYSTEM/[email protected]: |
---|
[Unit] Description = Openssh Per-Connces SERVER DA Emon (Unix Socket ) Documentation = man: sshd (8) man: sshd_config (5) wants = sshd-kygen.target after = sshd-keygen.target [-/sbin/sbin/sshd -f/eth/ssh/ssh/ssh/ssh/ssh/ssh/ssh/ssh/ssh/ssh/ssh/ssh/ssh/ SSHD_CONFIG_UNIX StandardinPut = Socket |
/ETC/SSHD_CONFIG_UNIX: |
---|
# leaves only authentication Permitrootlogin Password PasswordAutication NO Permitymp Typasswords No GSSAPIAUTHENTIONE NO |