Back to Signal Feed
CodeTracked since May 18, 2026

Replace agor sudo wildcard rules with one audited user-admin wrapper

This change replaces five wildcard `NOPASSWD` sudoers entries (e.g., `useradd *`, `chpasswd`, `find *`) with a single `agor-user-admin` command path and routes user/group/symlink privileged operations through that wrapper with strict validators, reducing privileged-command exposure from broad shell-like sudo access to a constrained entry point.

sudoersagor-user-adminAGOR_USER_ADMINwrapper validators

What Happened

  • This change replaces five wildcard `NOPASSWD` sudoers entries (e.g., `useradd *`, `chpasswd`, `find *`) with a single `agor-user-admin` command path and routes user/group/symlink privileged operations through that wrapper with strict validators, reducing privileged-command exposure from broad shell-like sudo access to a constrained entry point.
  • This change replaces five wildcard `NOPASSWD` sudoers entries (e.g., `useradd *`, `chpasswd`, `find *`) with a single `agor-user-admin` command path and routes user/group/symlink privileged operations through that wrapper with strict validators, reducing privileged-command exposure from broad shell-like sudo access to a constrained entry point.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Introduced a centralized privilege boundary by forcing all sensitive daemon operations (user/group lifecycle, symlink maintenance, password sync) through `agor-user-admin`, replacing wildcard sudo permissions with explicit verbs and in-wrapper checks for names, path allowlists, forbidden system accounts, option parsing (`--`), and password input constraints, with success events logged for auditability.

Why Track This

Why It Matters

Operators and security teams can reduce the risk of privilege abuse from the agor daemon because user and password-management actions now go through a single audited root entry point instead of several unrestricted wildcard sudo commands that were vulnerable to flag/path/password-smuggling. This change closes concrete attack surfaces around `useradd*`, `chpasswd`, and `find*`-style misuse while preserving normal functionality, and it should be tracked for any future privileged operation that might still call root tools directly or drift out of the wrapper’s allowlist.

Impact

Operators and security teams can reduce the risk of privilege abuse from the agor daemon because user and password-management actions now go through a single audited root entry point instead of several unrestricted wildcard sudo commands that were vulnerable to flag/path/password-smuggling. This change closes concrete attack surfaces around `useradd*`, `chpasswd`, and `find*`-style misuse while preserving normal functionality, and it should be tracked for any future privileged operation that might still call root tools directly or drift out of the wrapper’s allowlist.

What To Watch Next

  • Watch whether sudoers becomes a repeated pattern.
  • Track follow-up changes around AI Coding Agents.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: new_privileged_command_paths_outside_wrapper, wrapper_validator_edge_case_regressions.
Open Topic TimelineOpen Technical EventOpen Original Sourcenew_privileged_command_paths_outside_wrapper / wrapper_validator_edge_case_regressions / audit_logging_pipeline_misconfiguration / node_to_wrapper_command_option_drift

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

preset-io/agor PR #1040: sec(sudoers): collapse root wildcards behind agor-user-admin wrapper

The PR collapses multiple root-level sudo wildcard paths into `agor ALL=(root) NOPASSWD: /usr/local/sbin/agor-user-admin`, adds in-wrapper validation for identities, paths, passwords, and flag handling, and updates caller code plus bash/JS tests to use and verify the wrapper.