t3code: harden dispatch — dedicated user + validated t3-mint + scoped sudoers
Run t3-dispatch as an unprivileged dedicated user instead of wizard (who has full sudo). Privileged minting goes through /usr/local/bin/t3-mint, which validates the target against /etc/ttyd-user-map before minting as that user; sudoers permits t3-dispatch to run only that wrapper. Compromise of the network-facing service can mint pairing tokens for mapped users at most. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
0472f67d49
commit
9f551e3c13
4 changed files with 26 additions and 4 deletions
13
scripts/t3-mint
Normal file
13
scripts/t3-mint
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
#!/usr/bin/env bash
|
||||
# Mint a one-time t3 pairing token for a mapped OS user.
|
||||
# Runs as root via the scoped sudoers entry for the t3-dispatch service user.
|
||||
# Validates the requested user is an actual t3 OS user (a value on the RHS of
|
||||
# /etc/ttyd-user-map) before minting as that user. Prints the t3 CLI JSON.
|
||||
set -euo pipefail
|
||||
os_user="${1:-}"
|
||||
[[ "$os_user" =~ ^[a-z_][a-z0-9_-]{0,31}$ ]] || { echo "invalid user" >&2; exit 2; }
|
||||
# Must be a mapped t3 OS user (RHS of a non-comment "authentik=os" line).
|
||||
awk -F= '!/^[[:space:]]*#/ && NF==2 { gsub(/[[:space:]]/, "", $2); print $2 }' /etc/ttyd-user-map \
|
||||
| grep -qxF "$os_user" || { echo "user not mapped" >&2; exit 3; }
|
||||
exec runuser -u "$os_user" -- /usr/bin/t3 auth pairing create \
|
||||
--base-dir "/home/${os_user}/.t3" --ttl 5m --json
|
||||
Loading…
Add table
Add a link
Reference in a new issue