Business Case: /etc/sudoers.d/foreman-proxy prevents the need for re-authentication, based on the following lines: foreman-proxy ALL = (root) NOPASSWD : /usr/bin/puppet cert * foreman-proxy ALL = (root) NOPASSWD : /usr/bin/puppet kick * Customer (and their security audit software) considers this a security risk, since these lines cannot be commented out. They would like this to be changed so that NOPASSWD isn't used. Technical Requirements: - Additional information: -
How would the customer want to trigger the puppet under privileged account (root) if the capsule runs under non-privileged (user) account? I can't think of safer way atm. Running capsule under root (one could probably configure it this way already) seems like a less secure way. It would be a different story if they didn't use puppet cert and kick features, in such case they could comment this and be careful on upgrades since the installer would try to override the file.
Hello, customer that requested this feature enhancement decided that they do not require it anymore.