I don’t understand your justification.
MineOS’ webui performs functionality as a Linux user, simply put. What functionality is the webui introducing that you consider a flaw–that can’t already be performed by that user already?
root
should be passwordless already; if you’re concerned about security, root
should never have a password in the first place.
My installations never have root passwords, so my webui deployments never have root
access to the webui.
Huh? Under what circumstances would you have to NOPASSWD
on sudo? I’m certainly not recommending that.
It’s unclear from the information you’ve provided thus far. Is web
or minecraft
system accounts? Are they user accounts?
If web
is a system account, there’s no password. There’s no login, mission accomplished.
If minecraft
is a user account, there potentially is a password, and already that user can log into ssh
and do everything that that he’d do in the webui anyway.
I’m saying the way you would block somebody from logging into the webui is removing their password, or making the code change.
Because, as an example, web
user. Let’s say it does have a password. So how do you prevent a user from logging into the node via ssh web@somehost
? I think in most circumstances, you’ll see /etc/shadow
get a !
– which is a password which is not-accepted, and won’t allow login.
So the answer to stopping somebody from using ssh
is removing the password.
Perhaps you might counter: but you can lock with password -l web
and still use RSA keys. Yes, and comprehensively including additional login methods like RSA keys is a non-trivial code change, a lot of newly-included libraries, and certainly greater than three lines to implement safely and securely. Alternatively, I can not implement RSA keys and let the user copy-paste three lines to disallow a certain user to login. There’s a reason why basically zero other linux services use RSA keys.
In short, it may not be your preference to allow web
to log in simply because it doesn’t make sense in the context of MineOS, but that user already can login and run Java and servers (mineos completely aside). The webui simply isn’t stopping what the user can already do via ssh
.
If that security model doesn’t gel well with you, that’s what the docker instance is for.