[GH-ISSUE #383] Question: Is NoNewPrivileges=yes intended for SSH sessions? #7572

Closed
opened 2026-06-22 00:10:28 -05:00 by GiteaMirror · 7 comments
Owner

Originally created by @kiber-io on GitHub (Jun 14, 2026).
Original GitHub issue: https://github.com/fosrl/newt/issues/383

Question

In the documentation for running Newt as a systemd service, the example unit file includes:

NoNewPrivileges=true

When using SSH access through Newt, this appears to prevent the use of sudo from a regular user account. Any attempt to run sudo results in:

sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.

Is this intentional?

If I remove NoNewPrivileges=true from the systemd unit, are there any significant security implications specific to Newt that I should be aware of?

Or is this setting simply a hardening recommendation that can be safely disabled when SSH access with normal sudo functionality is required?

Environment

  • OS Type & Version: Ubuntu 24.04.4 LTS
  • Pangolin Version: 1.19.2
  • Edition (Community or Enterprise): Enterprise (self-hosted)
  • Gerbil Version: 1.4.2
  • Traefik Version: 3.7.5
  • Newt Version: 1.13.0
Originally created by @kiber-io on GitHub (Jun 14, 2026). Original GitHub issue: https://github.com/fosrl/newt/issues/383 ### Question In the [documentation](https://docs.pangolin.net/manage/sites/install-site#systemd-service) for running Newt as a systemd service, the example unit file includes: ```ini NoNewPrivileges=true ``` When using SSH access through Newt, this appears to prevent the use of `sudo` from a regular user account. Any attempt to run `sudo` results in: ```text sudo: The "no new privileges" flag is set, which prevents sudo from running as root. sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag. ``` Is this intentional? If I remove `NoNewPrivileges=true` from the systemd unit, are there any significant security implications specific to Newt that I should be aware of? Or is this setting simply a hardening recommendation that can be safely disabled when SSH access with normal `sudo` functionality is required? ### Environment - OS Type & Version: Ubuntu 24.04.4 LTS - Pangolin Version: 1.19.2 - Edition (Community or Enterprise): Enterprise (self-hosted) - Gerbil Version: 1.4.2 - Traefik Version: 3.7.5 - Newt Version: 1.13.0
Author
Owner

@AstralDestiny commented on GitHub (Jun 14, 2026):

This a session with ssh daemon or a ssh session via public or a ssh via just direct?

<!-- gh-comment-id:4702347316 --> @AstralDestiny commented on GitHub (Jun 14, 2026): This a session with ssh daemon or a ssh session via public or a ssh via just direct?
Author
Owner

@kiber-io commented on GitHub (Jun 14, 2026):

@AstralDestiny hi!
This is the Pangolin SSH + Manual Authentication mode. The connection goes through Pangolin SSH, but authentication is performed by the system SSH daemon

<!-- gh-comment-id:4702355998 --> @kiber-io commented on GitHub (Jun 14, 2026): @AstralDestiny hi! This is the [Pangolin SSH + Manual Authentication](https://docs.pangolin.net/manage/ssh#1-pangolin-ssh-+-manual-authentication) mode. The connection goes through Pangolin SSH, but authentication is performed by the system SSH daemon
Author
Owner

@AstralDestiny commented on GitHub (Jun 14, 2026):

Well if it's via manual it shouldn't prevent any commands as it just hands off the connection.. Though trying locally for it and just seems like everything today wants to give me issues heh.

<!-- gh-comment-id:4702421732 --> @AstralDestiny commented on GitHub (Jun 14, 2026): Well if it's via manual it shouldn't prevent any commands as it just hands off the connection.. Though trying locally for it and just seems like everything today wants to give me issues heh.
Author
Owner

@AstralDestiny commented on GitHub (Jun 14, 2026):

Image Image

This config or you running the pangolin SSH config? @kiber-io

<!-- gh-comment-id:4702476145 --> @AstralDestiny commented on GitHub (Jun 14, 2026): <img width="892" height="368" alt="Image" src="https://github.com/user-attachments/assets/0482f82c-5878-4b93-9085-860425645acd" /> <img width="896" height="387" alt="Image" src="https://github.com/user-attachments/assets/d7ffa904-652e-4104-b0d2-3cceb24c8a70" /> This config or you running the pangolin SSH config? @kiber-io
Author
Owner

@kiber-io commented on GitHub (Jun 14, 2026):

no, I said that I use Pangolin SSH mode. and yes, it just handles the connection, but the process that handles the connection (newt itself) stared with NoNewPrivileges=true, which prevents all child processes from using sudo

<!-- gh-comment-id:4702487575 --> @kiber-io commented on GitHub (Jun 14, 2026): no, I said that I use Pangolin SSH mode. and yes, it just handles the connection, but the process that handles the connection (newt itself) stared with NoNewPrivileges=true, which prevents all child processes from using sudo
Author
Owner

@AstralDestiny commented on GitHub (Jun 14, 2026):

Mmm will ask.

<!-- gh-comment-id:4702504176 --> @AstralDestiny commented on GitHub (Jun 14, 2026): Mmm will ask.
Author
Owner

@oschwartz10612 commented on GitHub (Jun 14, 2026):

Ahh yes I think we should remove that from the documentation and the ui. It was from before newt needed privileges to allow sshing. Thanks for pointing it out!

<!-- gh-comment-id:4703210441 --> @oschwartz10612 commented on GitHub (Jun 14, 2026): Ahh yes I think we should remove that from the documentation and the ui. It was from before newt needed privileges to allow sshing. Thanks for pointing it out!
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/newt#7572