square/sudo_pair square/sudo_pair

  • Stars
    star
    1,230
  • Rank 36,597 (Top 0.8 %)
  • Language
    Rust
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated 8 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
square/sudo_pair
github

square

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Plugin for sudo that requires another human to approve and monitor privileged sudo sessions

sudo_pair

Build Status Latest Version License

sudo_pair is a plugin for sudo that requires another human to approve and monitor privileged sudo sessions.

a demonstrated sudo_pair session

About

sudo is used by engineers daily to run commands as privileged users. But on some sensitive systems, you really want to ensure that no individual can act entirely autonomously. At Square, this includes applications that manage our internal access-control systems, store accounting ledgers, or even move around real money. This plugin allows us to ensure that no user can act entirely on their own authority within these systems.

This plugin and its components are still in prerelease, as we want to get feedback from the open-source community before officially releasing 1.0.

Installation

WARNING: Misconfiguring sudo can lock you out of your machine. Test this in a throwaway environment.

For now, sudo_pair must be compiled from source. It is a standard Rust project, and the following should suffice to build it on any recent version of Rust:

git clone https://github.com/square/sudo_pair.git
cd sudo_pair
cargo build --release

Once built, the plugin itself will need to be installed in a place where sudo can find it. Generally this is under /usr/libexec/sudo (on macOS hosts it's /usr/local/libexec/sudo). An appropriate approval script must be installed into the PATH. A directory must be created for sudo_pair to manage the sockets it uses for communication between plugin and client. And finally, sudo must be configured to load and use the plugin.

# WARNING: these files may not be set up in a way that is suitable
# for your system. Proceed only on a throwaway host.

# install the plugin shared library
install -o root -g root -m 0644 ./target/release/libsudopair.dylib /usr/libexec/sudo

# create a socket directory
install -o root -g root -m 0644 -d /var/run/sudo_pair

# install the approval script; as currently configured, it denies access
# to users approving their own sudo session and may lock you out
install -o root -g root -m 0755 ./sample/bin/sudo_approve /usr/bin/sudo_approve

# your `/etc/sudo.conf` may already have entries necessary for sudo to
# function correctly; if this is the case, the two files will need to be
# merged
install -o root -g root -m 0644 ./sample/etc/sudo.conf /etc/sudo.conf

# if these prompts don't work for you, they're configurable via a simple
# templating language explained later in the README
install -o root -g root -m 0644 ./sample/etc/sudo.prompt.user /etc/sudo.prompt.user
install -o root -g root -m 0644 ./sample/etc/sudo.prompt.pair /etc/sudo.prompt.pair

This only places the plugin files into their expected locations. The plugin will not be enabled yet until you follow the configuration steps below.

Configuration

/etc/sudoers

By default, /etc/sudoers will not tell logging plugins to log output for any commands. You will need to enable this by either telling sudo to enable logging for all commands (and opt out any commands you wish to bypass pairing for) or by opting individual commands into logging.

Example (default to log, opt out of individual commands):

Defaults log_output

%wheel ALL = (ALL) NOLOG_OUTPUT: /bin/cat, /bin/ls

Example (opt into individual commands)

%wheel ALL = (ALL) LOG_OUTPUT: /usr/bin/visudo

/etc/sudo.conf

The plugin can be provided several options to modify its behavior. These options are provided to the plugin by adding them to the end of the Plugin line in /etc/sudo.conf.

Example:

Plugin sudo_pair sudo_pair.so socket_dir=/var/tmp/sudo_pair gids_exempted=42,109

The full list of options are as follows:

  • binary_path (default: /usr/bin/sudo_approve)

    This is the location of the approval binary. The approval command itself needs to run under the privileges of the destination user or group, and this is done so using sudo, so it must be exempted from requiring its own pair approval.

  • user_prompt_path (default: /etc/sudo_pair.prompt.user)

    This is the location of the prompt template to display to the user invoking sudo; if no template is found at this location, an extremely minimal default will be printed. See the Prompts section for more details.

  • pair_prompt_path (default: /etc/sudo_pair.prompt.pair)

    This is the location of the prompt template to display to the user being asked to approve the sudo session; if no template is found at this location, an extremely minimal default will be printed. See the Prompts section for more details.

  • socket_dir (default: /var/run/sudo_pair)

    This is the path where this plugin will store sockets for sessions that are pending approval. This directory must be owned by root and only writable by root, or the plugin will abort.

  • gids_enforced (default: 0)

    This is a comma-separated list of gids that sudo_pair will gate access to. If a user is sudoing to a user that is a member of one of these groups, they will be required to have a pair approve their session.

  • gids_exempted (default: none)

    This is a comma-separated list of gids whose users will be exempted from the requirements of sudo_pair. Note that this is not the opposite of the gids_enforced flag. Whereas gids_enforced gates access to groups, gids_exempted exempts users sudoing from groups. For instance, this setting can be used to ensure that oncall sysadmins can respond to outages without needing to find a pair.

    Note that root is always exempt.

Prompts

This plugin allows you to configure the prompts that are displayed to both users being asked to find a pair and users being asked to approve another user's sudo session. If prompts aren't configured (or can't be found on the filesystem), extremely minimal ones are provided as a default.

The contents of the prompt files are raw bytes that should be printed to the user's terminal. This allows fun things like terminal processing of ANSI escape codes for coloration, resizing terminals, and setting window titles, all of which are (ab)used in the sample prompts provided.

These prompts also implement a simple %-escaped templating language. Any known directive preceded by a % character is replaced by an expansion, and anything else is treated as a literal (e.g., %% is a literal %, and %a is a literal a).

Available expansions:

  • %b: the name of the appoval _b_inary
  • %B: the full path to the approval _B_inary
  • %C: the full _C_ommand sudo was invoked as (recreated as best-effort)
  • %d: the cw_d_ of the command being run under sudo
  • %h: the _h_ostname of the machine sudo is being executed on
  • %H: the _H_eight of the invoking user's terminal, in rows
  • %g: the real _g_id of the user invoking sudo
  • %p: the _p_id of this sudo process
  • %u: the real _u_id of the user invoking sudo
  • %U: the _U_sername of the user running sudo
  • %W: the _W_idth of the invoking user's terminal, in columns

Approval Scripts

The provided approval script is just a small (but complete) example. As much functionality as possible has been moved into the plugin, with one (important, temporary) exception: currently, the script must verify that the user approving a sudo session is not the user who is requesting the session.

Other than that, the only thing required of the "protocol" is to:

  • connect to a socket (as either the user or group being sudoed to)
  • wire up the socket's input and output to the user's STDIN and STDOUT
  • send a y to approve, or anything else to decline
  • close the socket to terminate the session

As it turns out, you can pretty much just do this with socat:

socat STDIO /path/to/socket

The script included with this project isn't much more than this. It performs a few extra niceties (implicitly sudos if necessary, turns off terminal echo, disables Ctrl-C, and kills the session on Ctrl-D), but not much more. Ctrl-C was disabled so a user who's forgotten that this terminal is being used to monitor another user's session doesn't instinctively kill it with Ctrl-C.

Limitations

Sessions under sudo_pair can't be piped to.

Allowing piped data to standard input, as far as I can tell, likely results in a complete bypass of the security model here. Commands can often accept input on stdin, and there's no reasonable way to show this information to the pair.

Security Model

This plugin allows users to sudo -u ${user} to become a user or sudo -g ${group} to gain an additional group.

When a user does this, a socket is created that is owned and only writable by ${user} (or ${group}). In order to connect to that socket, the approver must be able to write to files as that ${user} (or ${group}). In other words, they need to be on the other side of the airtight hatchway. In practical terms, this means the approver needs to also be able to sudo to that user or group.

To facilitate this, the plugin exempts the approval script from the requirement to have a pair. And the sample approval script automatically detects the user or group you need to become and runs sudo -u ${user} (or sudo -g ${group}) implicitly.

As a concrete example, these are the sockets opened for sudo -u root, sudo -u nobody, and sudo -g sys:

drwxr-xr-x   3 root    wheel     96 May  8 09:17 .
s-w-------   1 root    wheel      0 May  8 09:16 1882.29664.sock    # sudo -u root
s-w-------   1 nobody  wheel      0 May  8 09:17 1882.29921.sock    # sudo -u nobody
s----w----   1 root    sys        0 May  8 09:18 1882.29994.sock    # sudo -g sys

The only people who can approve a sudo session to a user or group must also be able to sudo as that user or group.

Due to limitations of the POSIX filesystem permission model, a user may sudo to a new user (and gain its groups) or sudo to a new group (preserving their current user), but not both simultaneously.

Project Layout

This project is composed of three Rust crates:

Dependencies

Given the security-sensitive nature of this project, it is an explicit goal to have a minimal set of dependencies. Currently, those are:

Contributions

Contributions are welcome! This project should hopefully be small (~500loc for the plugin itself, ~1kloc for the wrappers around writing plugins) and well-documented enough for others to participate without difficulty.

Pick a TODO and get started!

Bugs

Please report non-security issues on the GitHub tracker. Security issues are covered by Square's bug bounty program.

License

sudo_pair is distributed under the terms of the Apache License (Version 2.0).

See LICENSE-APACHE for details.

More Repositories

1

okhttp

Square’s meticulous HTTP client for the JVM, Android, and GraalVM.
Kotlin
45,250
star
2

retrofit

A type-safe HTTP client for Android and the JVM
HTML
42,581
star
3

leakcanary

A memory leak detection library for Android.
Kotlin
29,130
star
4

picasso

A powerful image downloading and caching library for Android
Kotlin
18,656
star
5

javapoet

A Java API for generating .java source files.
Java
10,691
star
6

moshi

A modern JSON library for Kotlin and Java.
Kotlin
9,502
star
7

okio

A modern I/O library for Android, Java, and Kotlin Multiplatform.
Kotlin
8,667
star
8

dagger

A fast dependency injector for Android and Java.
Java
7,317
star
9

crossfilter

Fast n-dimensional filtering and grouping of records.
JavaScript
6,222
star
10

PonyDebugger

Remote network and data debugging for your native iOS app using Chrome Developer Tools
Objective-C
5,867
star
11

maximum-awesome

Config files for vim and tmux.
Ruby
5,706
star
12

otto

An enhanced Guava-based event bus with emphasis on Android support.
Java
5,174
star
13

cubism

Cubism.js: A JavaScript library for time series visualization.
JavaScript
4,930
star
14

sqlbrite

A lightweight wrapper around SQLiteOpenHelper which introduces reactive stream semantics to SQL operations.
Java
4,574
star
15

android-times-square

Standalone Android widget for picking a single date from a calendar view.
Java
4,437
star
16

wire

gRPC and protocol buffers for Android, Kotlin, Swift and Java.
Kotlin
4,174
star
17

Valet

Valet lets you securely store data in the iOS, tvOS, or macOS Keychain without knowing a thing about how the Keychain works. It’s easy. We promise.
Swift
3,957
star
18

cube

Cube: A system for time series visualization.
JavaScript
3,912
star
19

kotlinpoet

A Kotlin API for generating .kt source files.
Kotlin
3,805
star
20

java-code-styles

IntelliJ IDEA code style settings for Square's Java and Android projects.
Shell
2,957
star
21

flow

Name UI states, navigate between them, remember where you've been.
Java
2,789
star
22

spoon

Distributing instrumentation tests to all your Androids.
HTML
2,700
star
23

keywhiz

A system for distributing and managing secrets
Java
2,614
star
24

tape

A lightning fast, transactional, file-based FIFO for Android and Java.
Java
2,459
star
25

certstrap

Tools to bootstrap CAs, certificate requests, and signed certificates.
Go
2,194
star
26

mortar

A simple library that makes it easy to pair thin views with dedicated controllers, isolated from most of the vagaries of the Activity life cycle.
Java
2,159
star
27

go-jose

An implementation of JOSE standards (JWE, JWS, JWT) in Go
1,981
star
28

Cleanse

Lightweight Swift Dependency Injection Framework
Swift
1,773
star
29

assertj-android

A set of AssertJ helpers geared toward testing Android.
Java
1,578
star
30

haha

DEPRECATED Java library to automate the analysis of Android heap dumps.
Java
1,436
star
31

phrase

Phrase is an Android string resource templating library
Java
1,403
star
32

cane

Code quality threshold checking as part of your build
Ruby
1,325
star
33

seismic

Android device shake detection.
Java
1,275
star
34

anvil

A Kotlin compiler plugin to make dependency injection with Dagger 2 easier.
Kotlin
1,265
star
35

spacecommander

Commit fully-formatted Objective-C as a team without even trying.
Objective-C
1,126
star
36

square.github.io

A simple, static portal which outlines our open source offerings.
CSS
1,108
star
37

workflow

A Swift and Kotlin library for making composable state machines, and UIs driven by those state machines.
Shell
1,107
star
38

workflow-kotlin

A Swift and Kotlin library for making composable state machines, and UIs driven by those state machines.
Kotlin
982
star
39

certigo

A utility to examine and validate certificates in a variety of formats
Go
917
star
40

logcat

I CAN HAZ LOGZ?
Kotlin
893
star
41

radiography

Text-ray goggles for your Android UI.
Kotlin
831
star
42

whorlwind

Makes fingerprint encryption a breeze.
Java
819
star
43

dagger-intellij-plugin

An IntelliJ IDEA plugin for Dagger which provides insight into how injections and providers are used.
Java
798
star
44

cycler

Kotlin
793
star
45

Paralayout

Paralayout is a set of simple, useful, and straightforward utilities that enable pixel-perfect layout in iOS. Your designers will love you.
Swift
771
star
46

apropos

A simple way to serve up appropriate images for every visitor.
Ruby
766
star
47

shift

shift is an application that helps you run schema migrations on MySQL databases
Ruby
735
star
48

coordinators

Simple MVWhatever for Android
Java
703
star
49

subzero

Block's Bitcoin Cold Storage solution.
C
667
star
50

Blueprint

Declarative UI construction for iOS, written in Swift
Swift
659
star
51

shuttle

String extraction, translation and export tools for the 21st century. "Moving strings around so you don't have to"
Ruby
657
star
52

gifencoder

A pure Java library implementing the GIF89a specification. Suitable for use on Android.
Java
654
star
53

pollexor

Java client for the Thumbor image service which allows you to build URIs in an expressive fashion using a fluent API.
Java
633
star
54

intro-to-d3

a D3.js tutorial
CSS
603
star
55

kochiku

Shard your builds for fun and profit
Ruby
602
star
56

curtains

Lift the curtain on Android Windows!
Kotlin
570
star
57

RxIdler

An IdlingResource for Espresso which wraps an RxJava Scheduler.
Java
512
star
58

svelte-store

TypeScript
494
star
59

field-kit

FieldKit lets you take control of your text fields.
JavaScript
463
star
60

burst

A unit testing library for varying test data.
Java
462
star
61

SuperDelegate

SuperDelegate provides a clean application delegate interface and protects you from bugs in the application lifecycle
Swift
454
star
62

otto-intellij-plugin

An IntelliJ IDEA plugin to navigate between events posted by Otto.
Java
453
star
63

js-jose

JavaScript library to encrypt/decrypt data in JSON Web Encryption (JWE) format and to sign/verify data in JSON Web Signature (JWS) format. Leverages Browser's native WebCrypto API.
JavaScript
424
star
64

sharkey

Sharkey is a service for managing certificates for use by OpenSSH
Go
390
star
65

connect-api-examples

Code samples demonstrating the functionality of the Square Connect API
JavaScript
381
star
66

fdoc

Documentation format and verification
Ruby
379
star
67

ETL

Extract, Transform, and Load data with Ruby
Ruby
377
star
68

lgtm

Simple object validation for JavaScript.
JavaScript
366
star
69

laravel-hyrule

Object-oriented, composable, fluent API for writing validations in Laravel
PHP
341
star
70

in-app-payments-flutter-plugin

Flutter Plugin for Square In-App Payments SDK
Objective-C
332
star
71

papa

PAPA: Performance of Android Production Applications
Kotlin
331
star
72

pysurvival

Open source package for Survival Analysis modeling
HTML
319
star
73

pylink

Python Library for device debugging/programming via J-Link
Python
317
star
74

workflow-swift

A Swift and Kotlin library for making composable state machines, and UIs driven by those state machines.
Swift
302
star
75

rails-auth

Modular resource-based authentication and authorization for Rails/Rack
Ruby
288
star
76

cocoapods-generate

A CocoaPods plugin that allows you to easily generate a workspace from a podspec.
Ruby
272
star
77

inspect

inspect is a collection of metrics gathering, analysis utilities for various subsystems of linux, mysql and postgres.
Go
267
star
78

Aardvark

Aardvark is a library that makes it dead simple to create actionable bug reports.
Objective-C
257
star
79

jetpack

jet.pack: package your JRuby rack app for Jetty.
Ruby
249
star
80

gradle-dependencies-sorter

A CLI app and Gradle plugin to sort the dependencies in your Gradle build scripts
Kotlin
242
star
81

luhnybin

Shell
232
star
82

auto-value-redacted

An extension for Google's AutoValue that omits redacted fields from toString().
Java
211
star
83

protoparser

Java parser for .proto schema declarations.
Java
209
star
84

squalor

Go SQL utility library
Go
203
star
85

p2

Platypus Platform: Tools for Scalable Deployment
Go
196
star
86

mimecraft

Utility for creating RFC-compliant multipart and form-encoded HTTP request bodies.
Java
195
star
87

Listable

Declarative list views for iOS apps.
Swift
189
star
88

git-fastclone

git clone --recursive on steroids
Ruby
185
star
89

zapp

Continuous Integration for KIF
Objective-C
179
star
90

metrics

Metrics Query Engine
Go
170
star
91

ruby-rrule

RRULE expansion for Ruby
Ruby
168
star
92

quotaservice

The purpose of a quota service is to prevent cascading failures in micro-service environments. The service acts as a traffic cop, slowing down traffic where necessary to prevent overloading services. For this to work, remote procedure calls (RPCs) between services consult the quota service before making a call. The service isn’t strictly for RPCs between services, and can even be used to apply quotas to database calls, for example.
Go
154
star
93

wire-gradle-plugin

A Gradle plugin for generating Java code for your protocol buffer definitions with Wire.
Groovy
153
star
94

goprotowrap

A package-at-a-time wrapper for protoc, for generating Go protobuf code.
Go
148
star
95

beancounter

Utility to audit the balance of Hierarchical Deterministic (HD) wallets. Supports multisig + segwit wallets.
Go
143
star
96

womeng_handbook

Everything you need to start or expand a women in engineering group in your community.
129
star
97

cocoapods-check

A CocoaPods plugin that shows differences between locked and installed Pods
Ruby
126
star
98

rce-agent

gRPC-based Remote Command Execution Agent
Go
125
star
99

spincycle

Automate and expose complex infrastructure tasks to teams and services.
Go
118
star
100

in-app-payments-react-native-plugin

Objective-C
116
star