fd0f4a0365
6d224861 came from a --no-checkout worktree whose empty index made the
commit drop every file except two. This restores 05b50d2b's full tree and
correctly adds stacks/stem95su/gdrive-sync.tf + the service-catalog stem95su
entry. Forward-only (parent=6d224861, no force-push); [ci skip] since the
live infra was never applied from the broken commit.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
6 lines
423 B
Text
6 lines
423 B
Text
# The t3-dispatch service (unprivileged user t3-dispatch) may run ONLY the
|
|
# t3-mint wrapper, as root. t3-mint validates the target user against
|
|
# /etc/ttyd-user-map and mints a one-time t3 pairing token as that user.
|
|
# A compromise of the network-facing dispatch service can therefore mint
|
|
# pairing tokens for already-mapped users at most — never arbitrary root.
|
|
t3-dispatch ALL=(root) NOPASSWD: /usr/local/bin/t3-mint
|