Granting sudo permissions to DevOps Agent user

Copper Contributor

Hi,

 

We're running an agent pool hosted in an Azure VMSS.

Are there any serious security concerns with granting sudo rights for the user used to run the pipelines? Of course granting as few rights as possible is the best practice, but in this case this would make life easier in certain instances. The only thing I've found in MS documentation is that you should not specify the user as the primary administrator. Other than that, I couldn't find anything advising against granting the user sudo privileges.

4 Replies

@mstogis-dvt 

 

I thought may focus on the risk of sudo rather:

 

Say an example, in case an attacker gains access to a user account with sudo privileges, potentially follow by running malicious commands with elevated privileges. In other words, sudo is useful but can be a security risk 

@Kidd_Ip 

That was my concern as well, I wanted to ask the community what the general consensus is, is it more of a "everyone does it, it's fine" or "you should only do this if it's absolutely necessary" situation

Even i have a concern on this i.e., i have configured my scale set agent to have permission for other files and applications using `facl` but when it comes to installing tools at runtime via pipeline it needs sudo privileges which in this case the AzureDevOps user doesn't have and fails to install via apt-get. Here im trying to install mysql-shell using
`sudo apt-get update
sudo apt-get install mysql-shell`

Any solution for this is really appreciated.
I ran into a similar problem with requiring installing a different CLI tool. I ended up just updating my image to have that tool installed and now I'm wondering if we should just grant the DevOps user sudo privileges to avoid this kind of situation in the future.