Forum Discussion

mstogis-dvt's avatar
mstogis-dvt
Copper Contributor
Jan 25, 2024

Granting sudo permissions to DevOps Agent user

Hi,

 

We're running an agent pool hosted in an Azure VMSS.

Are there any serious security concerns with granting sudo rights for the user used to run the pipelines? Of course granting as few rights as possible is the best practice, but in this case this would make life easier in certain instances. The only thing I've found in MS documentation is that you should not specify the user as the primary administrator. Other than that, I couldn't find anything advising against granting the user sudo privileges.

  • mstogis-dvt 

     

    I thought may focus on the risk of sudo rather:

     

    Say an example, in case an attacker gains access to a user account with sudo privileges, potentially follow by running malicious commands with elevated privileges. In other words, sudo is useful but can be a security risk 

    • mstogis-dvt's avatar
      mstogis-dvt
      Copper Contributor

      Kidd_Ip 

      That was my concern as well, I wanted to ask the community what the general consensus is, is it more of a "everyone does it, it's fine" or "you should only do this if it's absolutely necessary" situation

  • Dhanushbl's avatar
    Dhanushbl
    Copper Contributor
    Even i have a concern on this i.e., i have configured my scale set agent to have permission for other files and applications using `facl` but when it comes to installing tools at runtime via pipeline it needs sudo privileges which in this case the AzureDevOps user doesn't have and fails to install via apt-get. Here im trying to install mysql-shell using
    `sudo apt-get update
    sudo apt-get install mysql-shell`

    Any solution for this is really appreciated.
    • mstogis-dvt's avatar
      mstogis-dvt
      Copper Contributor
      I ran into a similar problem with requiring installing a different CLI tool. I ended up just updating my image to have that tool installed and now I'm wondering if we should just grant the DevOps user sudo privileges to avoid this kind of situation in the future.

Resources