Security: Can I avoid passwordless sudo in webtop?

Hi,

The webtop#security says:

From the web interface a terminal can be launched and it is configured for passwordless sudo, so anyone with access to it can install and run whatever they want along with probing your local network.

I’m guessing this isn’t really specifically about webtop but more about the base image, Package baseimage-kasmvnc · GitHub.

Neither the webtop nor the base image describe how to avoid the passwordless sudo, but as shown below I can create a new image FROM the webtop image, set a password for the abc user and remove the NOPASSWD: from /etc/sudoers and that does the trick.

But I’m curious: Is there a reason for the passwordless sudo? If all I want the user to be able to do is run installed pacages, e.g. Firefox, isn’t this a security problem?

Especially if one includes the -v /var/run/docker.sock:/var/run/docker.sock mount this basically gives the person in on the desktop root access to the host. Which is bad.

Is there some reason other than ease-of-use that passwordless sudo was chosen, that makes adding a sudo password pointless? There are quite a number of configuration options, and I’m surprised this isn’t one of them, so I thought I’d ask why it was done like this.

Edit: Working hack

To change the abc user’s password and remove NOPASSWD: from /etc/sudoers, create Dockerfile:

FROM lscr.io/linuxserver/webtop:ubuntu-xfce
# The password hash was generated by openssl passwd -6
# https://stackoverflow.com/a/79363082/345716
RUN usermod -p '$6$zXmvBnKSap6VmVmD$JvqGgjVhC9B7WMbNVt3rESpNm4FTwzEJU0evgiVJsEw6qicAjhQKLIhj5rm/0fZxACr2f.Hdx5eGfPQUYw8231' abc
RUN sed -i 's/NOPASSWD: //' /etc/sudoers

and modify docker-compose.yaml like this:

--- docker-compose.yaml.orig	2025-01-16 21:56:26.525063114 +0100
+++ docker-compose.yaml	2025-01-16 21:56:31.746093147 +0100
@@ -1,7 +1,7 @@
 services:
   webtop:
-    image: lscr.io/linuxserver/webtop:ubuntu-xfce
+    image: pmorch/webtop
+    build: ./
     container_name: webtop
     security_opt:
       - seccomp:unconfined #optional

So as you can see I know how to re-add the password to sudo, but I’m curious why this isn’t a configuration option.

P.S.: I couldn’t find any webtop, baseimage or security tags, so I went with the rdesktop tag, but if there are more fitting tabs, please let me know (or feel free to re-tag).

Yes, these containers are made with the specific target audience of people with Home servers and tinkerers. If you are looking for something with security and shared environments in mind I would take a look at Kasm GitHub - linuxserver/docker-kasm: Kasm Workspaces platform provides enterprise-class orchestration, data loss prevention, and web streaming technology to enable the delivery of containerized workloads to your browser.. They have a library of images as well that run as a user and are given basically no perms but to run the app.

Thank you for the reply. docker-kasm is a completely different beast. First of all docker-kasm is available under KASM WORKSPACES END USER LICENSE AGREEMENT (basically requires a license), is https:// only and has a concept of sessions and installed apps, which makes it quite different than webtop.

So back to webtop.

Yes, these containers are made with the specific target audience of people with Home servers and tinkerers.

That fits me.

I’m enough of a tinkerer that I don’t want to have something around with passwordless sudo. Is anybody aware of any problems with setting the user’s password and removing the NOPASSWD: from /etc/sudoers as I propose above?