Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invert the --omitsudo flag #449

Open
1 task
adhilto opened this issue Oct 2, 2024 · 0 comments · May be fixed by #499
Open
1 task

Invert the --omitsudo flag #449

adhilto opened this issue Oct 2, 2024 · 0 comments · May be fixed by #499
Assignees
@rlxdev
Labels
enhancement
Milestone
Driftwood

Comments

@adhilto
Copy link
Collaborator

adhilto commented Oct 2, 2024
edited
Loading

💡 Summary

Either:

  • Completely remove the built-in functionality to run the OPA executable with sudo
  • Change the --omitsudo flag into a --runwithsudo flag so that it defaults to running it without sudo

Motivation and context

Currently, ScubaGoggles by default runs the OPA executable as sudo on Linux and Mac. Previous tests indicated that running it as sudo was necessary, but latest tests indicate that it can be run without sudo. Running it with sudo by default introduces security risks that we should avoid if possible.

Implementation notes

If we do keep the built-in functionality to run OPA with sudo, we might consider adding a last-second hash check to minimize the security risk.

Acceptance criteria

  • OPA is no longer run with sudo by default
@snarve snarve added this to the Driftwood milestone Oct 15, 2024
@rlxdev rlxdev self-assigned this Oct 16, 2024
@adhilto adhilto linked a pull request Nov 14, 2024 that will close this issue
Open
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rlxdev rlxdev

Labels
enhancement
Projects
None yet
Milestone
Driftwood
Development

Successfully merging a pull request may close this issue.

Policy API Integration cisagov/ScubaGoggles
3 participants
@rlxdev @adhilto @snarve