Sudoers changes: sudo password field removed, new /etc/sudoers guidance


#1

Hi folks,

The sudoers password in Vespene was confusing and could leak the sudoers password in some cases.
Not everyone was using it, and using sudoers with no password is way cleaner.

As such,

I've just removed the sudo passsword field from the worker tab and the support for sudoing with a password.

The recommendation is now, for sudoers:

 vespene ALL=(vespene_build) NOPASSWD:ALL

Which is to say, let the build process use "vespene_build" to execute worker processes - or whatever account you set up in the worker pool, without a password.

To update, as normal, just checkout a new version and do "make migrate"

Let me know if there are questions or problems.

Once again, the setup script will NOT set up sudoers for you, if you want an easy trial experience you can put whatever user is running in Vespene in for the "worker pool" password, which is usually "vespene" but this is NOT a secure configuration to let anyone else use, since that account has access to the database.

It should be another user like "vespene_build"


I cannot get a build to work
#2

For those that would like to review the changes to the code and docs:


#3

Had a good suggestion that we could also have the install script drop a file in /etc/sudoers.d/

Does anyone have any concerns about that? Could obviously make it an option in 0_common.sh


#4

I think I would want that to be optional, but otherwise no objection to adding a sudoers file.


Setup questions?