sudo_pair

sudo_pair is a plugin for sudo that requires another human to approve and monitor privileged sudo sessions.

sudo is used by engineers daily to run commands as privileged users. But on some sensitive systems, you really want to ensure that no individual can act entirely autonomously. At Square, this includes applications that manage our internal access-control systems, store accounting ledgers, or even move around real money. This plugin allows us to ensure that no user can act entirely on their own authority within these systems.

Prompts

This plugin allows you to configure the prompts that are displayed to both users being asked to find a pair and users being asked to approve another user’s sudo session. If prompts aren’t configured (or can’t be found on the filesystem), extremely minimal ones are provided as a default.

The contents of the prompt files are raw bytes that should be printed to the user’s terminal. This allows fun things like terminal processing of ANSI escape codes for coloration, resizing terminals, and setting window titles, all of which are (ab)used in the sample prompts provided.

These prompts also implement a simple %-escaped templating language. Any known directive preceded by a % character is replaced by an expansion, and anything else is treated as a literal (e.g., %% is a literal %, and %a is a literal a).

Available expansions:

• %b: the name of the appoval _b_inary
• %B: the full path to the approval _B_inary
• %C: the full _C_ommand sudo was invoked as (recreated as best-effort)
• %d: the cw_d_ of the command being run under sudo
• %h: the _h_ostname of the machine sudo is being executed on
• %H: the _H_eight of the invoking user’s terminal, in rows
• %g: the real _g_id of the user invoking sudo
• %p: the _p_id of this sudo process
• %u: the real _u_id of the user invoking sudo
• %U: the _U_sername of the user running sudo
• %W: the _W_idth of the invoking user’s terminal, in columns

Download && Use

Copyright (C) 2016 square