-1

I have a Debian-based system (most likely an Ubuntu 18.04 LTS) with a user, say user, that executes an application (as a daemon). The system is not exposed to the Internet with a public IP address.

This application needs to reboot, stop processes (using killall) and execute network commands using nmcli. It does this by calling bash, which executes the commands as root. Since the application cannot insert the password when calling the commands above, I configured user to be able to launch the reboot, killall and nmcli commands with sudo without the need to type the password.

Though, I feel like this is a bad practice and I would like to use some more secure and robust system.

Can someone please provide some advice & insight?

EM90
  • 99
  • 3
  • 1
    Doing that obeys the principle of least security: a sudo policy with only the specific privileges that are needed. That is very good already and much better than for example running your application as root. NOPASSWD is not ideal but otherwise your application needs to be configured with access to a plain text version of the password, which isn’t much better. – Bob Apr 12 '21 at 13:31

1 Answers1

0

I have a Debian-based system ... with a user ... that executes an application (as a service).

Windows "Services" = Linux "daemons".

This application needs to reboot, stop processes (using killall) and execute network commands using nmcli.

Why does it need to do any of this?
This sounds like an "X-Y Question" to me, i.e. you're asking how to get a program to "fix" your machine (by killing processes, hacking the network or even rebooting the machine) when, I suspect, you really need to get to the bottom of just why you're having to do any of these things in the first place.

If your machine is being swamped by processes (you don't say which ones you're interested in) then investigate how to throttle whatever is spawning them. Having your machine "randomly" rebooting on you is not a long-term strategy.

Phill W.
  • 1,336
  • 7
  • 7
  • Thanks for the "daemon" correction. I use `killall` to kill all processes related to a specific application (eg, `openvpn`, it depends on the circumstances); I need to reboot when specific events happen. My daemon receives user input (like: "start the VPN" or "configure this network interface this way"). Hope this sheds some light on the mystery... – EM90 Apr 13 '21 at 12:49