Is not giving sudo privileges to the VMs of the apps I manage unreasonable?
Posted by BigBootyBear@reddit | ExperiencedDevs | View on Reddit | 20 comments
I am modernizing a legacy scheduling app at work. Here is my infra:
- The app itself. It's an OSS implementation for a scheduling platform that's 5 years out of date. That includes
- Moving to containerization
- Syncing with the OSS LTS tree
- Re-working company workflow from just adding stuff to the project (breaking with main) to making every feature request a PR on the project (which I develop, push and talk with the contributors.)
- Database migration
- Writing out unit tests, E2E and other automations (of which there were none).
- A static self hosted docs site (app had no docs). Including writing the docs, setting up a UI for other people to contribute etc.
- A MELT stack
- A database
I'm a 1 man shop for everything. I write the PHP for the PRs on the project (its a PHP app) the python code for sanity testing and automating the container and image building (which is quite complex) the Typescript for a playwright E2E, as well as dozens of DevOps stuff including (but not limited to) bash, docker, podman, nginx, certs and so on.
I was given SSH access to 2 VMs (for the app and the second for the MELT stack) but I don't have sudo. I have to send an email to the linux team whenever I want vim installed, or to reload nginx. Can't read journalctl as well.
They say its for security purposes. I get why maybe you wouldn't give privileges to a frontend dev in a 10 person team. But... I'm doing everything here. Is this common practice? How "scary" is exactly giving me sudo or at least some sudo privileges (at the very least add me to /etc, /var/logs and let me run journalctl)?
Ambitious-Garbage-73@reddit
Blanket sudo feels like the wrong fight. Narrow sudoers for exact commands plus a documented break-glass path is usually easier to defend than 'trust me with root'.
single_plum_floating@reddit
Man can push changes without supervision, edit the CI/CD and i would bet money has the ability to send arbitary code straight to prod by himself..
But has to make the case for being allowed to run 'this' specific arbitary code.
Ah, i sure do love cope based security.
single_plum_floating@reddit
Whoever is telling you its for SeCuRiTy purposes is an idiot. You basically already have super-admin controls. In fact i would bet you have permission to create permissions and so does your CI/CD.
If you want to be funny then push a admin control plane to the app and use that. /s
CodelinesNL@reddit
Talk to your manager. Set up a meeting with the admin people and your manager to discuss a good middle ground that takes into account that you're doing everything yourself.
In the meantime polish up your resume and try to work for a company where you're not running a one-man show because you're going to stagnate hard here.
BigBootyBear@reddit (OP)
This is unfortunately not a big organization and theres already a shortage of developers. Theres only like 5 developers in the entire firm (we are an IT dept within a big non-IT uni). I won't get any additional help and trying to invovle any of the other devs in it will likely derail the project.
A quesiton though - why is being a one man show going to stagnate me? I know this isn't optimal (specialization of labor being the pillar of efficiency and all) but I learn pletny of stuff along the way and wouldnt it be impressive for future employers that I can competently do plenty of things and pick up new tech fast?
CodelinesNL@reddit
No one to learn from, to spar with. The company is doing stuff "the wrong way" already and you're going to pick up mostly bad habits there.
Bluntly; no. Your short description is showing all the signs that this is a tiny company in the category of "wordpress project companies".
I'm not saying you should quit, I'm saying you should keep somewhat actively looking for better opportunities. So keep that resume up to date and your LinkedIn profile active.
BigBootyBear@reddit (OP)
I'm trying my best to follow best practices by reading books on linux, asking people on forums on best practies etc. Thought like you've said it is limited.
Regarding your second point: this is a self perpetuating problem. I'm self taught (no college) so the only return calls I get are from non IT employers (wordpress shops, small IT departments in a non IT company). Therefore thats the only experience thats available for me.
You say to keep my resume up to date. But whatever theres to update that resume with is whatever I am currently doing at these supposebly "bad companies". My only option is to overachieve (for example my current advoacy for using testing and CI/CD where theres none). If my initiative will not be appreicated then theres no option of moving into better firms.
CodelinesNL@reddit
I'm just giving advice. Do what it whatever you want :)
BigBootyBear@reddit (OP)
I wasn't making any personal attack or anything. Everything you've said is correct. It's just that i'm sturggling to find an actionable insight. Think about it for a sec - if you cannot leverage experience in less desireable firms into being noticed by more deisreable firms, how can people ever get ahead?
CodelinesNL@reddit
Step by step. You're employed so you're in no hurry. Try to apply to jobs that move you forward and if you get rejected, try to fix the gaps in your knowledge yourself. That might involve some initiatives on your end to learn new skills.
throwaway_0x90@reddit
So similar to other comments, I think you should just go find a better job and work with people you can learn from and pick up best practices and newer tools/infra.
But in the meanwhile, I use to work in a place like this that wouldn't give me sudo. Not saying you should do this, but I managed to trick them into giving me sudo to a binary that I knew I could force to give me an interactive shell. ;)
Again, don't do this because getting caught could result in bad timnes. I personally didn't care back then.
codescapes@reddit
Honestly? The breadth of the work you're doing here sounds too much for a single dev and despite your best efforts will likely end up messy / unreliable / manual. It's so easy to get into bad habits as a one-man-band or go down weird architectural rabbit holes.
I saw in your other comment you have ~5 developers. You're doing PHP, Python, TypeScript, Playwright, containerization, DB migrations - now you need root access... This sounds excessive, especially if there isn't a deep tech presence.
And in fact, why has your employer not just found some SaaS solution for whatever your problem is here? I don't say that to be judgemental or doubt your efforts, I imagine you are being spread very thin and doing whatever stuff is necessary day-to-day, but this sounds like a crazy set of responsibilities. I am not expert in your domain either but surely this is a 'solved problem' and not one requiring bespoke dev work.
Because genuinely that is usually the best option for something like a university. If I were in charge of a uni tech department I'd want as little 'custom code' as possible, I'd want it to be a last resort. Splitting off your own OSS forks just gets you into a world of pain.
BigBootyBear@reddit (OP)
I'm with you on this. The problem is that our org moves at a snails pace. The 1# bottleneck is not technology but red tape. As you move up the chain you find very little technical literacy or even a willingless to entertain technical discussions.
I would scrap the entire thing and re-implement it with a SaaS but getting it approved across all the faculties that use it would require more political capital then releasing the full epstein files and putting everyone in jail.
codescapes@reddit
Got you. Being honest I think the biggest challenges you face are not the technical ones like sudo permissions or whatever, it's friction in the org. In a smaller setup like yours the relationships are way more important than the processes. Which is kinda painful from the engineering perspective but it's true.
Not to be shallow or glib but genuinely the best thing you could probably do to unstick your problem is become buddies with the people in Linux team. They might just literally not understand what you're doing or why, or find your requests kinda annoying when they have other stuff going on.
Try to oil that relationship as much as possible, even if they can't do exactly what you want there may be some kind of developer sandbox approach that can get you most of what you need. Try run them through the project, why you're doing it etc because if you say "hey, there are security holes because of this old version I'm trying to upgrade" then suddenly you have a shared interest in security which they obvious value. Build all the rapport you can.
Deranged40@reddit
I only give very specific sudo permission via sudoers file.
Like, the user that my CI/CD pipeline uses can use
sudo systemctl restart my.app.service, passwordless, and only that command. They'll need a password for start or stop, etc.AnnoyedVelociraptor@reddit
How does that work when the socket you're talking to is owned and only write-able by uid 0?
How do you prevent running the process as root to access this socket?
BigBootyBear@reddit (OP)
This is also what I want to know. Supposebly the admin runs a podman container once and I just reload the configuration using podman exec.
DarioNoharis@reddit
This is the way.
Joined a company where infra didn’t want do any of finer grained access management and wanted to maintain status quo as much as possible.
Had to have several chats with leadership to provide me with blanket sudo on sandboxes and finer grained ones on others. Most impactful change ever in that company for the setting up higher pace/building trust. Before infra just didn’t trust platform engineers enough.
Tacos314@reddit
Do you get paid hourly? On contract? If so just follow the process they have provided and document and charge every time.
BigBootyBear@reddit (OP)
Get paid hourly as an employee (not a freelancer).