This works if you trust every program you run with silent root privileges. Sure, don’t run untrusted code in general, but I think it’s generally good practice to lock down root privileges as much as possible. Layered security and all that.
Not silent, the passwordless sudo calls are logged and available for review. I do trust that after several months in a sandbox without calling sudo, it’s unlikely that a sleeper agent will awaken and call sudo out of the blue - more likely that my apps that have been calling sudo will do something nefarious on the 1000th access…
Somebody (possibly an AI agent…) could/should automate the process of transcribing the sudo logs to the NOPASSWD setup, just leave sudo unlocked for those things that show up as needing it during validation test runs and turn the sudo lock back on for everything else.
This is the way. Physical security FTW.
This works if you trust every program you run with silent root privileges. Sure, don’t run untrusted code in general, but I think it’s generally good practice to lock down root privileges as much as possible. Layered security and all that.
Not silent, the passwordless sudo calls are logged and available for review. I do trust that after several months in a sandbox without calling sudo, it’s unlikely that a sleeper agent will awaken and call sudo out of the blue - more likely that my apps that have been calling sudo will do something nefarious on the 1000th access…
Somebody (possibly an AI agent…) could/should automate the process of transcribing the sudo logs to the NOPASSWD setup, just leave sudo unlocked for those things that show up as needing it during validation test runs and turn the sudo lock back on for everything else.