I don’t understand your justification.
MineOS’ webui performs functionality as a Linux user, simply put. What functionality is the webui introducing that you consider a flaw–that can’t already be performed by that user already?
root should be passwordless already; if you’re concerned about security,
root should never have a password in the first place.
My installations never have root passwords, so my webui deployments never have
root access to the webui.
Huh? Under what circumstances would you have to
NOPASSWD on sudo? I’m certainly not recommending that.
It’s unclear from the information you’ve provided thus far. Is
minecraft system accounts? Are they user accounts?
web is a system account, there’s no password. There’s no login, mission accomplished.
minecraft is a user account, there potentially is a password, and already that user can log into
ssh and do everything that that he’d do in the webui anyway.
I’m saying the way you would block somebody from logging into the webui is removing their password, or making the code change.
Because, as an example,
web user. Let’s say it does have a password. So how do you prevent a user from logging into the node via
ssh web@somehost? I think in most circumstances, you’ll see
/etc/shadow get a
! – which is a password which is not-accepted, and won’t allow login.
So the answer to stopping somebody from using
ssh is removing the password.
Perhaps you might counter: but you can lock with
password -l web and still use RSA keys. Yes, and comprehensively including additional login methods like RSA keys is a non-trivial code change, a lot of newly-included libraries, and certainly greater than three lines to implement safely and securely. Alternatively, I can not implement RSA keys and let the user copy-paste three lines to disallow a certain user to login. There’s a reason why basically zero other linux services use RSA keys.
In short, it may not be your preference to allow
web to log in simply because it doesn’t make sense in the context of MineOS, but that user already can login and run Java and servers (mineos completely aside). The webui simply isn’t stopping what the user can already do via
If that security model doesn’t gel well with you, that’s what the docker instance is for.