mirror of
https://github.com/fosrl/newt.git
synced 2026-07-16 03:46:25 -05:00
[GH-ISSUE #383] Question: Is NoNewPrivileges=yes intended for SSH sessions? #7572
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @kiber-io on GitHub (Jun 14, 2026).
Original GitHub issue: https://github.com/fosrl/newt/issues/383
Question
In the documentation for running Newt as a systemd service, the example unit file includes:
When using SSH access through Newt, this appears to prevent the use of
sudofrom a regular user account. Any attempt to runsudoresults in:Is this intentional?
If I remove
NoNewPrivileges=truefrom the systemd unit, are there any significant security implications specific to Newt that I should be aware of?Or is this setting simply a hardening recommendation that can be safely disabled when SSH access with normal
sudofunctionality is required?Environment
@AstralDestiny commented on GitHub (Jun 14, 2026):
This a session with ssh daemon or a ssh session via public or a ssh via just direct?
@kiber-io commented on GitHub (Jun 14, 2026):
@AstralDestiny hi!
This is the Pangolin SSH + Manual Authentication mode. The connection goes through Pangolin SSH, but authentication is performed by the system SSH daemon
@AstralDestiny commented on GitHub (Jun 14, 2026):
Well if it's via manual it shouldn't prevent any commands as it just hands off the connection.. Though trying locally for it and just seems like everything today wants to give me issues heh.
@AstralDestiny commented on GitHub (Jun 14, 2026):
This config or you running the pangolin SSH config? @kiber-io
@kiber-io commented on GitHub (Jun 14, 2026):
no, I said that I use Pangolin SSH mode. and yes, it just handles the connection, but the process that handles the connection (newt itself) stared with NoNewPrivileges=true, which prevents all child processes from using sudo
@AstralDestiny commented on GitHub (Jun 14, 2026):
Mmm will ask.
@oschwartz10612 commented on GitHub (Jun 14, 2026):
Ahh yes I think we should remove that from the documentation and the ui. It was from before newt needed privileges to allow sshing. Thanks for pointing it out!