sudo_pair: requires another human to approve and monitor privileged sudo sessions
sudo is used by engineers daily to run commands as privileged users. But on some sensitive systems, you really want to ensure that no individual can act entirely autonomously. At Square, this includes applications that manage our internal access-control systems, store accounting ledgers, or even move around real money. This plugin allows us to ensure that no user can act entirely on their own authority within these systems.
This plugin allows you to configure the prompts that are displayed to both users being asked to find a pair and users being asked to approve another user’s
sudo session. If prompts aren’t configured (or can’t be found on the filesystem), extremely minimal ones are provided as a default.
The contents of the prompt files are raw bytes that should be printed to the user’s terminal. This allows fun things like terminal processing of ANSI escape codes for coloration, resizing terminals, and setting window titles, all of which are (ab)used in the sample prompts provided.
These prompts also implement a simple
%-escaped templating language. Any known directive preceded by a
% character is replaced by an expansion, and anything else is treated as a literal (e.g.,
%% is a literal
%a is a literal
%b: the name of the appoval _b_inary
%B: the full path to the approval _B_inary
%C: the full _C_ommand
sudowas invoked as (recreated as best-effort)
%d: the cw_d_ of the command being run under
%h: the _h_ostname of the machine
sudois being executed on
%H: the _H_eight of the invoking user’s terminal, in rows
%g: the real _g_id of the user invoking
%p: the _p_id of this
%u: the real _u_id of the user invoking
%U: the _U_sername of the user running
%W: the _W_idth of the invoking user’s terminal, in columns
Copyright (C) 2016