9f551e3c13
Run t3-dispatch as an unprivileged dedicated user instead of wizard (who has full sudo). Privileged minting goes through /usr/local/bin/t3-mint, which validates the target against /etc/ttyd-user-map before minting as that user; sudoers permits t3-dispatch to run only that wrapper. Compromise of the network-facing service can mint pairing tokens for mapped users at most. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
6 lines
423 B
Text
6 lines
423 B
Text
# The t3-dispatch service (unprivileged user t3-dispatch) may run ONLY the
|
|
# t3-mint wrapper, as root. t3-mint validates the target user against
|
|
# /etc/ttyd-user-map and mints a one-time t3 pairing token as that user.
|
|
# A compromise of the network-facing dispatch service can therefore mint
|
|
# pairing tokens for already-mapped users at most — never arbitrary root.
|
|
t3-dispatch ALL=(root) NOPASSWD: /usr/local/bin/t3-mint
|