coilyco-bridge/sirens-discord-ops
1
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

Consolidate sudoers configuration (4 separate sudoers commits in 7d window) #5

New issue
Open
opened 2026-05-23 20:55:35 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:55:35 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-09T05:00:02Z - https://github.com/coilysiren/sirens-discord-ops/issues/7

The sudoers config was edited four times in the last week: each commit added one missing nopasswd permission for systemctl operations. This pattern suggests the underlying spec needs one consolidated definition rather than incremental whack-a-mole.

Cited commits:

  • 5040713 - sudoers: nopasswd start and stop in addition to restart and status
  • b5d51bf - sudoers: split into one rule per line, cover both /bin and /usr/bin paths
  • a51603a - sudoers: explicit --no-pager variant for status
  • 4261de5 - sudoers: also nopasswd 'systemctl status' for diagnostic access

Why this might matter: sudoers is security-sensitive surface. Iterative additions risk leaving stale broader rules behind. One audit pass ("what does the bot actually need to systemctl?") and a single clean grant block would close the loop. Worth doing now while context is fresh, before the next nopasswd request.

Keywords: sudoers systemctl nopasswd permissions deploy

_Originally filed by @coilysiren on 2026-05-09T05:00:02Z - [https://github.com/coilysiren/sirens-discord-ops/issues/7](https://github.com/coilysiren/sirens-discord-ops/issues/7)_ The sudoers config was edited four times in the last week: each commit added one missing nopasswd permission for systemctl operations. This pattern suggests the underlying spec needs one consolidated definition rather than incremental whack-a-mole. Cited commits: - 5040713 - sudoers: nopasswd start and stop in addition to restart and status - b5d51bf - sudoers: split into one rule per line, cover both /bin and /usr/bin paths - a51603a - sudoers: explicit --no-pager variant for status - 4261de5 - sudoers: also nopasswd 'systemctl status' for diagnostic access <!-- heuristic: recurring-touch-points --> Why this might matter: sudoers is security-sensitive surface. Iterative additions risk leaving stale broader rules behind. One audit pass (\"what does the bot actually need to systemctl?\") and a single clean grant block would close the loop. Worth doing now while context is fresh, before the next nopasswd request. Keywords: sudoers systemctl nopasswd permissions deploy
coilysiren added
P2
 and removed
P1
 labels 2026-05-31 07:00:03 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-bridge/sirens-discord-ops#5
No description provided.