From d11723ee6390e09083cee944ae940c9afac18fe6 Mon Sep 17 00:00:00 2001 From: Achmad Date: Wed, 24 Jun 2026 05:16:52 +0000 Subject: [PATCH] DEPLOY.md: drop NOPASSWD advice, document interactive sudo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Company VM — no sudoers changes. Replace the 'set up sudoers NOPASSWD' step with a brief note that every sudo call will prompt for the password and the user types it. The 15-minute sudo timestamp means the user only types it once per shell session, but they will see the prompt several times across the deploy as they run multiple sudo commands. Update the step-1 diagnostic outcomes to point at the new no-policy-change reality: NOPASSWD or different passwords both still work, the user just types the right one at each sudo prompt. --- DEPLOY.md | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/DEPLOY.md b/DEPLOY.md index b74e73b..e81a0fd 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -32,29 +32,17 @@ sudo -n true 2>/dev/null && echo "NOPASSWD sudo" || echo "needs password" sudo echo hi ``` -- Works without a password prompt → NOPASSWD, skip step 2. -- Prompts and accepts the password you type → SSH password == sudo password, skip step 2. -- Prompts and rejects your password → passwords differ. Note your actual sudo password for step 2. +- Works without a password prompt → NOPASSWD sudo, you don't need to remember a sudo password. +- Prompts and accepts the password you type → SSH password == sudo password. You'll type the same password at every `sudo:` prompt. +- Prompts and rejects your password → the passwords differ. Remember the sudo one; you'll need it at every `sudo:` prompt. Type `exit` to leave 92. Repeat for 186 (`ssh administrator@172.18.139.186`). -## 2. Set up sudo on each VM (only if step 1 said passwords differ) +## 2. Sudo on the company VMs -On 92: +The VMs are company-owned and you don't change sudo policy. Every `sudo` call will prompt you for the password — you type it. The sudo timestamp (default 15 min) means you only type it once per shell session, but you'll see the prompt several times across the deploy as you run multiple `sudo` commands. That's expected. -```bash -ssh administrator@172.18.136.92 -``` - -(You'll be prompted for the SSH password. Once in, `sudo tee` will prompt for the sudo password — that's the one you just confirmed.) - -```bash -echo 'administrator ALL=(ALL) NOPASSWD: /bin/systemctl, /usr/bin/install, /usr/bin/journalctl' | sudo tee /etc/sudoers.d/sdp-deploy -sudo chmod 440 /etc/sudoers.d/sdp-deploy -exit -``` - -Repeat for 186 (substitute the 186 IP). After this, `administrator` can run `systemctl`, `install`, and `journalctl` with `sudo` without typing a password. Nothing else is opened up. +If your SSH password and sudo password are different, type the sudo one at the `sudo:` prompt — the SSH password you used to log in doesn't apply. ## 3. Kill old SDP processes on each VM (skip on a fresh VM)