square / sudo_pair Goto Github PK

View Code? Open in Web Editor NEW

1.2K 27.0 51.0 1.53 MB

Plugin for sudo that requires another human to approve and monitor privileged sudo sessions

License: Apache License 2.0

Rust 94.57% C 3.93% Shell 0.58% Dockerfile 0.93%

pam sudo authentication security pairing compliance linux rust

sudo_pair's Introduction

sudo_pair

sudo_pair is a plugin for sudo that requires another human to approve and monitor privileged sudo sessions.

About

sudo is used by engineers daily to run commands as privileged users. But on some sensitive systems, you really want to ensure that no individual can act entirely autonomously. At Square, this includes applications that manage our internal access-control systems, store accounting ledgers, or even move around real money. This plugin allows us to ensure that no user can act entirely on their own authority within these systems.

This plugin and its components are still in prerelease, as we want to get feedback from the open-source community before officially releasing 1.0.

Installation

WARNING: Misconfiguring sudo can lock you out of your machine. Test this in a throwaway environment.

For now, sudo_pair must be compiled from source. It is a standard Rust project, and the following should suffice to build it on any recent version of Rust:

git clone https://github.com/square/sudo_pair.git
cd sudo_pair
cargo build --release

Once built, the plugin itself will need to be installed in a place where sudo can find it. Generally this is under /usr/libexec/sudo (on macOS hosts it's /usr/local/libexec/sudo). An appropriate approval script must be installed into the PATH. A directory must be created for sudo_pair to manage the sockets it uses for communication between plugin and client. And finally, sudo must be configured to load and use the plugin.

# WARNING: these files may not be set up in a way that is suitable
# for your system. Proceed only on a throwaway host.

# install the plugin shared library
install -o root -g root -m 0644 ./target/release/libsudopair.dylib /usr/libexec/sudo

# create a socket directory
install -o root -g root -m 0644 -d /var/run/sudo_pair

# install the approval script; as currently configured, it denies access
# to users approving their own sudo session and may lock you out
install -o root -g root -m 0755 ./sample/bin/sudo_approve /usr/bin/sudo_approve

# your `/etc/sudo.conf` may already have entries necessary for sudo to
# function correctly; if this is the case, the two files will need to be
# merged
install -o root -g root -m 0644 ./sample/etc/sudo.conf /etc/sudo.conf

# if these prompts don't work for you, they're configurable via a simple
# templating language explained later in the README
install -o root -g root -m 0644 ./sample/etc/sudo.prompt.user /etc/sudo.prompt.user
install -o root -g root -m 0644 ./sample/etc/sudo.prompt.pair /etc/sudo.prompt.pair

This only places the plugin files into their expected locations. The plugin will not be enabled yet until you follow the configuration steps below.

Configuration

`/etc/sudoers`

By default, /etc/sudoers will not tell logging plugins to log output for any commands. You will need to enable this by either telling sudo to enable logging for all commands (and opt out any commands you wish to bypass pairing for) or by opting individual commands into logging.

Example (default to log, opt out of individual commands):

Defaults log_output

%wheel ALL = (ALL) NOLOG_OUTPUT: /bin/cat, /bin/ls

Example (opt into individual commands)

%wheel ALL = (ALL) LOG_OUTPUT: /usr/bin/visudo

`/etc/sudo.conf`

The plugin can be provided several options to modify its behavior. These options are provided to the plugin by adding them to the end of the Plugin line in /etc/sudo.conf.

Example:

Plugin sudo_pair sudo_pair.so socket_dir=/var/tmp/sudo_pair gids_exempted=42,109

The full list of options are as follows:

binary_path (default: /usr/bin/sudo_approve)

This is the location of the approval binary. The approval command itself needs to run under the privileges of the destination user or group, and this is done so using sudo, so it must be exempted from requiring its own pair approval.
user_prompt_path (default: /etc/sudo_pair.prompt.user)

This is the location of the prompt template to display to the user invoking sudo; if no template is found at this location, an extremely minimal default will be printed. See the Prompts section for more details.
pair_prompt_path (default: /etc/sudo_pair.prompt.pair)

This is the location of the prompt template to display to the user being asked to approve the sudo session; if no template is found at this location, an extremely minimal default will be printed. See the Prompts section for more details.
socket_dir (default: /var/run/sudo_pair)

This is the path where this plugin will store sockets for sessions that are pending approval. This directory must be owned by root and only writable by root, or the plugin will abort.
gids_enforced (default: 0)

This is a comma-separated list of gids that sudo_pair will gate access to. If a user is sudoing to a user that is a member of one of these groups, they will be required to have a pair approve their session.
gids_exempted (default: none)

This is a comma-separated list of gids whose users will be exempted from the requirements of sudo_pair. Note that this is not the opposite of the gids_enforced flag. Whereas gids_enforced gates access to groups, gids_exempted exempts users sudoing from groups. For instance, this setting can be used to ensure that oncall sysadmins can respond to outages without needing to find a pair.

Note that root is always exempt.

Prompts

This plugin allows you to configure the prompts that are displayed to both users being asked to find a pair and users being asked to approve another user's sudo session. If prompts aren't configured (or can't be found on the filesystem), extremely minimal ones are provided as a default.

The contents of the prompt files are raw bytes that should be printed to the user's terminal. This allows fun things like terminal processing of ANSI escape codes for coloration, resizing terminals, and setting window titles, all of which are (ab)used in the sample prompts provided.

These prompts also implement a simple %-escaped templating language. Any known directive preceded by a % character is replaced by an expansion, and anything else is treated as a literal (e.g., %% is a literal %, and %a is a literal a).

Available expansions:

%b: the name of the appoval _b_inary
%B: the full path to the approval _B_inary
%C: the full _C_ommand sudo was invoked as (recreated as best-effort)
%d: the cw_d_ of the command being run under sudo
%h: the _h_ostname of the machine sudo is being executed on
%H: the _H_eight of the invoking user's terminal, in rows
%g: the real _g_id of the user invoking sudo
%p: the _p_id of this sudo process
%u: the real _u_id of the user invoking sudo
%U: the _U_sername of the user running sudo
%W: the _W_idth of the invoking user's terminal, in columns

Approval Scripts

The provided approval script is just a small (but complete) example. As much functionality as possible has been moved into the plugin, with one (important, temporary) exception: currently, the script must verify that the user approving a sudo session is not the user who is requesting the session.

Other than that, the only thing required of the "protocol" is to:

connect to a socket (as either the user or group being sudoed to)
wire up the socket's input and output to the user's STDIN and STDOUT
send a y to approve, or anything else to decline
close the socket to terminate the session

As it turns out, you can pretty much just do this with socat:

socat STDIO /path/to/socket

The script included with this project isn't much more than this. It performs a few extra niceties (implicitly sudos if necessary, turns off terminal echo, disables Ctrl-C, and kills the session on Ctrl-D), but not much more. Ctrl-C was disabled so a user who's forgotten that this terminal is being used to monitor another user's session doesn't instinctively kill it with Ctrl-C.

Limitations

Sessions under sudo_pair can't be piped to.

Allowing piped data to standard input, as far as I can tell, likely results in a complete bypass of the security model here. Commands can often accept input on stdin, and there's no reasonable way to show this information to the pair.

Security Model

This plugin allows users to sudo -u ${user} to become a user or sudo -g ${group} to gain an additional group.

When a user does this, a socket is created that is owned and only writable by ${user} (or ${group}). In order to connect to that socket, the approver must be able to write to files as that ${user} (or ${group}). In other words, they need to be on the other side of the airtight hatchway. In practical terms, this means the approver needs to also be able to sudo to that user or group.

To facilitate this, the plugin exempts the approval script from the requirement to have a pair. And the sample approval script automatically detects the user or group you need to become and runs sudo -u ${user} (or sudo -g ${group}) implicitly.

As a concrete example, these are the sockets opened for sudo -u root, sudo -u nobody, and sudo -g sys:

drwxr-xr-x   3 root    wheel     96 May  8 09:17 .
s-w-------   1 root    wheel      0 May  8 09:16 1882.29664.sock    # sudo -u root
s-w-------   1 nobody  wheel      0 May  8 09:17 1882.29921.sock    # sudo -u nobody
s----w----   1 root    sys        0 May  8 09:18 1882.29994.sock    # sudo -g sys

The only people who can approve a sudo session to a user or group must also be able to sudo as that user or group.

Due to limitations of the POSIX filesystem permission model, a user may sudo to a new user (and gain its groups) or sudo to a new group (preserving their current user), but not both simultaneously.

Project Layout

This project is composed of three Rust crates:

sudo_plugin-sys: raw Rust FFI bindings to the sudo_plugin(8) interface
sudo_plugin: a set of Rust structs and macros to simplify writing plugins
sudo_pair: the implementation of this plugin

Dependencies

Given the security-sensitive nature of this project, it is an explicit goal to have a minimal set of dependencies. Currently, those are:

Contributions

Contributions are welcome! This project should hopefully be small (~500loc for the plugin itself, ~1kloc for the wrappers around writing plugins) and well-documented enough for others to participate without difficulty.

Pick a TODO and get started!

Bugs

Please report non-security issues on the GitHub tracker. Security issues are covered by Square's bug bounty program.

License

sudo_pair is distributed under the terms of the Apache License (Version 2.0).

See LICENSE-APACHE for details.

sudo_pair's People

Contributors

Stargazers

Watchers

Forkers

adamar mmilleror cgati dfirgeek trevor-vaughan cenwei riviera12345 chaotic-evil renesugar jonnycrunch 3x-m4ch1na mtsuk boogy learnrust duzhanyuan backwardn ignatenkobrain pabit bonedaddy isgasho ishan-marikar freedeaths jacques morristech levyforchh livinginsyn souldarkside77 ykankaya houssoli isabella232 yelp rmallof jacobjohansen mirchr gc-ss pleza1987 fabiogermann jdtw sledneck666qc dronepilotztech sathishvjd mfaridi1394 azizsec1 kyuan1088 slowriot sudo-jake aravindb26 piyush-bhor ar4s-gh

sudo_pair's Issues

Tests fail on 32bit

     Running `/builddir/build/BUILD/sudo_plugin-sys-1.2.0/target/release/deps/sudo_plugin_sys-d26889b9040e8661`
running 7 tests
test bindgen_test_layout_policy_plugin ... FAILED
test bindgen_test_layout_io_plugin ... FAILED
test bindgen_test_layout_sudo_conv_callback ... FAILED
test bindgen_test_layout_sudo_conv_reply ... FAILED
test bindgen_test_layout_sudo_hook ... FAILED
test bindgen_test_layout_sudoers_group_plugin ... FAILED
test bindgen_test_layout_sudo_conv_message ... FAILED
failures:
---- bindgen_test_layout_policy_plugin stdout ----
thread 'bindgen_test_layout_policy_plugin' panicked at 'assertion failed: `(left == right)`
  left: `48`,
 right: `88`: Size of: policy_plugin', src/bindings.rs:3:10632
---- bindgen_test_layout_io_plugin stdout ----
thread 'bindgen_test_layout_io_plugin' panicked at 'assertion failed: `(left == right)`
  left: `52`,
 right: `96`: Size of: io_plugin', src/bindings.rs:3:16454
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
---- bindgen_test_layout_sudo_conv_callback stdout ----
thread 'bindgen_test_layout_sudo_conv_callback' panicked at 'assertion failed: `(left == right)`
  left: `16`,
 right: `32`: Size of: sudo_conv_callback', src/bindings.rs:3:3599
---- bindgen_test_layout_sudo_conv_reply stdout ----
thread 'bindgen_test_layout_sudo_conv_reply' panicked at 'assertion failed: `(left == right)`
  left: `4`,
 right: `8`: Size of: sudo_conv_reply', src/bindings.rs:3:2542
---- bindgen_test_layout_sudo_hook stdout ----
thread 'bindgen_test_layout_sudo_hook' panicked at 'assertion failed: `(left == right)`
  left: `16`,
 right: `24`: Size of: sudo_hook', src/bindings.rs:3:6771
---- bindgen_test_layout_sudoers_group_plugin stdout ----
thread 'bindgen_test_layout_sudoers_group_plugin' panicked at 'assertion failed: `(left == right)`
  left: `16`,
 right: `32`: Size of: sudoers_group_plugin', src/bindings.rs:3:20380
---- bindgen_test_layout_sudo_conv_message stdout ----
thread 'bindgen_test_layout_sudo_conv_message' panicked at 'assertion failed: `(left == right)`
  left: `12`,
 right: `16`: Size of: sudo_conv_message', src/bindings.rs:3:1349
failures:
    bindgen_test_layout_io_plugin
    bindgen_test_layout_policy_plugin
    bindgen_test_layout_sudo_conv_callback
    bindgen_test_layout_sudo_conv_message
    bindgen_test_layout_sudo_conv_reply
    bindgen_test_layout_sudo_hook
    bindgen_test_layout_sudoers_group_plugin

@stouset thanks for release :) I see that tests are failing on 32bit arches :)

Version: v1.2.1 build 7

Feature: packaged distributions.

Hi,

Would it be an idea to package sudo-pair into shipable formats such as:

binary in a tar.gz
rpm
deb
apk

I'm able to assist in a RPM at least.

In order to have this feature, I think these items are required:

A CI/CD pipeline to build packages if you release a new version of sudo-pair. Maybe travis-ci.
(RPM) A spec file describing the build process and the installation.
(deb) A control-file like the spec file.
An artifact store.

I understand it's quite a request, so if I can help you anywhere, please involve me.

Regards, Robert de Bock.

Improve the demo gif

ASCIInema and ASCIIcast have been suggested.

Building on Alpine 3.6 fails

Hi,

I'm trying to build sudo-pair on many distributions but run into a few issue.

On Alpine 3.6 the building fails with this error:

error: manifest path `/tmp/sudo-pair/Cargo.toml` is a virtual manifest, but this command requires running against an actual package in this workspace

These is the environment:

/ # cat /etc/alpine-release 
3.6.2
/ # cargo --version
cargo 0.18.0
/ # rustc --version
rustc 1.17.0
/ # gcc --version
gcc (Alpine 6.3.0) 6.3.0
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

On Alpine 3.7 the error is different, as Alpine 3.6 is a bit older, I think it's reasonable to accept this error as a known issue and not fix it, unless it's easy to solve.

Kind regards,

Robert de Bock.

Failed to parse manifest / feature 'resolver' is required

From a fresh clone on a new Debian Bullseye host:

The mentioned manifest is as follows:

# THIS FILE IS AUTOMATICALLY GENERATED BY CARGO
#
# When uploading crates to the registry Cargo will automatically
# "normalize" Cargo.toml files for maximal compatibility
# with all versions of Cargo and also rewrite `path` dependencies
# to registry (e.g., crates.io) dependencies.
#
# If you are reading this file be aware that the original Cargo.toml
# will likely look very different (and much more reasonable).
# See Cargo.toml.orig for the original contents.

[package]
edition = "2018"
name = "object"
version = "0.30.3"
exclude = [
    "/.github",
    "/testfiles",
]
description = "A unified interface for reading and writing object file formats."
readme = "README.md"
keywords = [
    "object",
    "elf",
    "mach-o",
    "pe",
    "coff",
]
license = "Apache-2.0 OR MIT"
repository = "https://github.com/gimli-rs/object"
resolver = "2"

[package.metadata.docs.rs]
features = ["doc"]

[dependencies.alloc]
version = "1.0.0"
optional = true
package = "rustc-std-workspace-alloc"

[dependencies.compiler_builtins]
version = "0.1.2"
optional = true

[dependencies.core]
version = "1.0.0"
optional = true
package = "rustc-std-workspace-core"

[dependencies.crc32fast]
version = "1.2"
optional = true
default-features = false

[dependencies.flate2]
version = "1"
optional = true

[dependencies.hashbrown]
version = "0.13.1"
features = ["ahash"]
optional = true
default-features = false

[dependencies.indexmap]
version = "1.6"
optional = true

[dependencies.memchr]
version = "2.4.1"
default-features = false

[dependencies.wasmparser]
version = "0.57"
optional = true

[features]
all = [
    "read",
    "write",
    "std",
    "compression",
    "wasm",
]
archive = []
cargo-all = []
coff = []
compression = [
    "flate2",
    "std",
]
default = [
    "read",
    "compression",
]
doc = [
    "read_core",
    "write_std",
    "std",
    "compression",
    "archive",
    "coff",
    "elf",
    "macho",
    "pe",
    "wasm",
]
elf = []
macho = []
pe = ["coff"]
read = [
    "read_core",
    "archive",
    "coff",
    "elf",
    "macho",
    "pe",
    "unaligned",
]
read_core = []
rustc-dep-of-std = [
    "core",
    "compiler_builtins",
    "alloc",
    "memchr/rustc-dep-of-std",
]
std = ["memchr/std"]
unaligned = []
unstable = []
unstable-all = [
    "all",
    "unstable",
    "xcoff",
]
wasm = ["wasmparser"]
write = [
    "write_std",
    "coff",
    "elf",
    "macho",
    "pe",
]
write_core = [
    "crc32fast",
    "indexmap",
    "hashbrown",
]
write_std = [
    "write_core",
    "std",
    "indexmap/std",
    "crc32fast/std",
]
xcoff = []

Build fails on CentOS 7

Building on CentOS 7 (with EPEL (Extra Packages for Enterprise Linux) enabled) fails:

   Compiling sudo_plugin-sys v1.1.0 (file:///builddir/build/BUILD/sudo_pair-sudo_pair-v0.9.2/sudo_plugin-sys)
error: failed to run custom build command for `sudo_plugin-sys v1.1.0 (file:///builddir/build/BUILD/sudo_pair-sudo_pair-v0.9.2/sudo_plugin-sys)`
process didn't exit successfully: `/builddir/build/BUILD/sudo_pair-sudo_pair-v0.9.2/target/release/build/sudo_plugin-sys-202e6ab914395c29/build-script-build` (exit code: 101)
--- stderr
thread 'main' panicked at 'function not loaded: clang_Type_getNumTemplateArguments', /builddir/.cargo/registry/src/github.com-1ecc6299db9ec823/clang-sys-0.22.0/src/lib.rs:1470:1
note: Run with `RUST_BACKTRACE=1` for a backtrace.

error: Bad exit status from /var/tmp/rpm-tmp.LXCDyF (%build)

A complete build log for debugging.

I'm not sure how difficult it is to make the build work on CentOS 7, but do think it's worth offering sudo-pair to CentOS-7.

Please let me know if more details are required.

Publish new version on crates.io

Or is this project basically dead? Latest release was 2 years ago according to crates.io

Wishlist: resolve group names

For maintainability I'd love to be able to specify group names in addition to GIDs for gids_exempted.

My rust-foo is superficial at best but I'm thinking this should be doable by extending is_sudoing_from_exempted_gid() , what do you think?

Building doesn't generate files referenced in installation

Hello,

I really like the look of this plugin for sudo, and would like to deploy it within my organisation.

However, I'm running into an issue with the installation, specifically cargo build --release as it's not generating the referenced ./target/release/libsudo_pair.dylib file.

Generated files:

I'm unsure which file should be installed in place of the .dylib file, as the installation sequence does not make this very clear.

Thanks,
redstonedesigner

Redo error handling with latest best practices

Error handling best practices have changed in Rust yet again. Investigate snafu and fehler.

Issues with building RPM on RHEL 7.x

Hi, I built an RPM for sudo-pair 0.11.1 on RHEL 7, and ran into a few small issues:

(1) Because the author apparently only built RPMs on Fedora 28/29/30, the .spec file assumes a compliant version of sudo is installed.

[root@vm-rh7 SPECS]# grep ^Requires sudo-pair.spec
Requires: sudo

Surely this should be

Requires: sudo >= 1.9

(2) In the rpmbuild BUILD tree, I see the following:

[root@vm-rh7 sudo_pair-sudo_pair-v0.11.1]# pwd
/var/local/mockbuild/rpmbuild/BUILD/sudo_pair-sudo_pair-v0.11.1

[root@vm-rh7 sudo_pair-sudo_pair-v0.11.1]# ls -l README.md
lrwxrwxrwx 1 mockbuild mock 21 Jun 8 2018 README.md -> ./sudo_pair/README.md

I don't know if it's because of this, but when the RPM is built and installed, I get this error:

[root@vm-rh7 rpmbuild]# rpm -ql sudo_pair
/usr/libexec/sudo/libsudo_pair.so
/usr/share/doc/sudo-pair-v0.11.1
/usr/share/doc/sudo-pair-v0.11.1/README.md
/usr/share/doc/sudo-pair-v0.11.1/sudo.conf
/usr/share/doc/sudo-pair-v0.11.1/sudo.prompt.pair
/usr/share/doc/sudo-pair-v0.11.1/sudo.prompt.user
/usr/share/doc/sudo-pair-v0.11.1/sudo_approve

[root@vm-rh7 rpmbuild]# cat /usr/share/doc/sudo_pair-v0.11.1/README.md
cat: /usr/share/doc/sudo_pair-v0.11.1/README.md: No such file or directory

[root@vm-rh7 rpmbuild]# ls -l /usr/share/doc/sudo_pair-v0.11.1/README.md
lrwxrwxrwx 1 root root 21 Jun 30 19:53 /usr/share/doc/sudo_pair-v0.11.1/README.md -> ./sudo_pair/README.md

README.md should be a plain file in the RPM, not a symbolic link pointing to nowhere.

(3) In .../BUILD/sudo_pair-sudo_pair-v0.11.1/contrib, there is a sample file called sudo-pair.spec. Why is it sudo-pair.spec and not sudo_pair.spec?

(4) Last but not least, in the final built RPM, there's no mention of sudo_plugin or sudo_plugin-sys anywhere. Should there be?

(Editorial comment: The use of both sudo_pair and sudo-pair interchangeably is very confusing.)

Feature: support for policy plugins in sudo-plugin

sudo-plugin, despite its generic name, currently only supports creating IO plugins, and not policy plugins. Would you consider policy plugins to be in-scope for the crate?

PS: Many thanks for releasing sudo-pair, and making sudo-plugin available as a reusable crate.

Can't compile: "error[E0308]: mismatched types"

Hi, looks like a promising tool, but I'm getting an error on this environment:

OS: Fedora release 27 (Twenty Seven)
Cargo: cargo 0.26.0
GCC: gcc (GCC) 7.3.1 20180303 (Red Hat 7.3.1-5)

This is the sequence of commands:

git clone https://github.com/square/sudo_pair.git
cd sudo_pair
cargo build --release

This is the error I'm seeing:

   Compiling sudo_pair v0.9.1 (file:///tmp/sudo_pair/sudo_pair)
error[E0308]: mismatched types
  --> sudo_pair/src/lib.rs:89:1
   |
89 | / sudo_io_plugin! {
90 | |      sudo_pair: SudoPair {
91 | |         close:      close,
92 | |         log_ttyout: log_ttyout,
...  |
96 | |      }
97 | | }
   | |_^ types differ in mutability
   |
   = note: expected type `unsafe extern "C" fn(u32, std::option::Option<unsafe extern "C" fn(i32, *const sudo_plugin::<unnamed>::sudo_conv_message, *mut sudo_plugin::<unnamed>::sudo_conv_reply, *mut sudo_plugin::<unnamed>::sudo_conv_callback) -> i32>, std::option::Option<unsafe extern "C" fn(i32, *const i8, ...) -> i32>, *const *mut i8, *const *mut i8, *const *mut i8, i32, *const *mut i8, *const *mut i8, *const *mut i8) -> i32`
              found type `unsafe extern "C" fn(u32, std::option::Option<unsafe extern "C" fn(i32, *const sudo_plugin::<unnamed>::sudo_conv_message, *mut sudo_plugin::<unnamed>::sudo_conv_reply, *mut sudo_plugin::<unnamed>::sudo_conv_callback) -> i32>, std::option::Option<unsafe extern "C" fn(i32, *const i8, ...) -> i32>, *const *const i8, *const *const i8, *const *const i8, i32, *const *const i8, *const *const i8, *const *const i8) -> i32 {sudo_pair::open}`
   = note: this error originates in a macro outside of the current crate (in Nightly builds, run with -Z external-macro-backtrace for more info)

error: aborting due to previous error

error: Could not compile `sudo_pair`.

To learn more, run the command again with --verbose.

Adding --verbose adds:

     Running `rustc --crate-name sudo_pair sudo_pair/src/lib.rs --crate-type cdylib --emit=dep-info,link -C opt-level=3 -C metadata=f6720f8f7cb7d4f5 --out-dir /tmp/sudo_pair/target/release/deps -L dependency=/tmp/sudo_pair/target/release/deps --extern libc=/tmp/sudo_pair/target/release/deps/liblibc-239dc72b79093596.rlib --extern error_chain=/tmp/sudo_pair/target/release/deps/liberror_chain-129e1e98384007f0.rlib --extern sudo_plugin=/tmp/sudo_pair/target/release/deps/libsudo_plugin-d32be4a4c82187af.rlib -L native=/tmp/sudo_pair/target/release/build/backtrace-sys-982c0931204b3d0d/out/.libs`

... previously listed error ...

Caused by:
  process didn't exit successfully: `rustc --crate-name sudo_pair sudo_pair/src/lib.rs --crate-type cdylib --emit=dep-info,link -C opt-level=3 -C metadata=f6720f8f7cb7d4f5 --out-dir /tmp/sudo_pair/target/release/deps -L dependency=/tmp/sudo_pair/target/release/deps --extern libc=/tmp/sudo_pair/target/release/deps/liblibc-239dc72b79093596.rlib --extern error_chain=/tmp/sudo_pair/target/release/deps/liberror_chain-129e1e98384007f0.rlib --extern sudo_plugin=/tmp/sudo_pair/target/release/deps/libsudo_plugin-d32be4a4c82187af.rlib -L native=/tmp/sudo_pair/target/release/build/backtrace-sys-982c0931204b3d0d/out/.libs` (exit code: 101)

I'm guessing I need a different version of some used program, if you have a clue, please let me know.

RUSTSEC-2021-0139: ansi_term is Unmaintained

ansi_term is Unmaintained

Details
Status	unmaintained
Package	`ansi_term`
Version	`0.12.1`
URL	ogham/rust-ansi-term#72
Date	2021-08-18

The maintainer has adviced this crate is deprecated and will not
receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

See advisory page for additional details.

Broken rustfmt config

cargo fmt
Warning: Unknown configuration option `reorder_imported_names`
Error: Decoding config file failed:
invalid type: boolean `false`, expected string for key `use_small_heuristics`
Please check your config file.

This is breaking auto format in my editor.

RUSTSEC-2020-0036: failure is officially deprecated/unmaintained

failure is officially deprecated/unmaintained

Details
Status	unmaintained
Package	`failure`
Version	`0.1.8`
URL	rust-lang-deprecated/failure#347
Date	2020-05-02

The failure crate is officially end-of-life: it has been marked as deprecated
by the former maintainer, who has announced that there will be no updates or
maintenance work on it going forward.

The following are some suggested actively developed alternatives to switch to:

See advisory page for additional details.

Wishlist: logging

I should add some basic syslog logging to the sudo_pair plugin.

Allow whitelisting of other binaries

The approval script is whitelisted, but it may be desirable to allow other whitelisted paths to be exempt from the pairing requirement.

Build fails on Alpine 3.7: "error: unknown lint: `unreachable_pub`"

I'm trying to build on Alpine 3.7, but it fails with this environment:

/tmp/sudo-pair # cat /etc/alpine-release 
3.7.0
/tmp/sudo-pair # cargo --version
cargo 0.22.0
/tmp/sudo-pair # rustc --version
rustc 1.22.1
/tmp/sudo-pair # gcc --version
gcc (Alpine 6.4.0) 6.4.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

The error I'm getting is:

   Compiling sudo_plugin-sys v1.1.0 (file:///tmp/sudo-pair/sudo_plugin-sys)
error: unknown lint: `unreachable_pub`
  --> sudo_plugin-sys/src/lib.rs:30:9
   |
30 | #![warn(unreachable_pub)]
   |         ^^^^^^^^^^^^^^^
   |
note: lint level defined here
  --> sudo_plugin-sys/src/lib.rs:23:9
   |
23 | #![deny(warnings)]
   |         ^^^^^^^^
   = note: #[deny(unknown_lints)] implied by #[deny(warnings)]

error: aborting due to previous error

error: Could not compile `sudo_plugin-sys`.

To learn more, run the command again with --verbose.

Adding verbose adds a liitle more details:

     Running `rustc --crate-name sudo_plugin_sys sudo_plugin-sys/src/lib.rs --crate-type lib --emit=dep-info,link -C opt-level=3 -C metadata=3bc35ce6336ecbb1 -C extra-filename=-3bc35ce6336ecbb1 --out-dir /tmp/sudo-pair/target/release/deps -L dependency=/tmp/sudo-pair/target/release/deps --extern libc=/tmp/sudo-pair/target/release/deps/liblibc-b50efdb24f9f5105.rlib`
error: unknown lint: `unreachable_pub`
  --> sudo_plugin-sys/src/lib.rs:30:9
   |
30 | #![warn(unreachable_pub)]
   |         ^^^^^^^^^^^^^^^
   |
note: lint level defined here
  --> sudo_plugin-sys/src/lib.rs:23:9
   |
23 | #![deny(warnings)]
   |         ^^^^^^^^
   = note: #[deny(unknown_lints)] implied by #[deny(warnings)]

error: aborting due to previous error

error: Could not compile `sudo_plugin-sys`.

Caused by:
  process didn't exit successfully: `rustc --crate-name sudo_plugin_sys sudo_plugin-sys/src/lib.rs --crate-type lib --emit=dep-info,link -C opt-level=3 -C metadata=3bc35ce6336ecbb1 -C extra-filename=-3bc35ce6336ecbb1 --out-dir /tmp/sudo-pair/target/release/deps -L dependency=/tmp/sudo-pair/target/release/deps --extern libc=/tmp/sudo-pair/target/release/deps/liblibc-b50efdb24f9f5105.rlib` (exit code: 101)

Hope this is something you understand better than I do. ;-)

Regards, Robert de Bock.

RUSTSEC-2020-0071: Potential segfault in the time crate

Potential segfault in the time crate

Details
Package	`time`
Version	`0.1.44`
URL	time-rs/time#293
Date	2020-11-18
Patched versions	`>=0.2.23`
Unaffected versions	`=0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6`

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

The affected functions from time 0.2.7 through 0.2.22 are:

time::UtcOffset::local_offset_at
time::UtcOffset::try_local_offset_at
time::UtcOffset::current_local_offset
time::UtcOffset::try_current_local_offset
time::OffsetDateTime::now_local
time::OffsetDateTime::try_now_local

The affected functions in time 0.1 (all versions) are:

at
at_utc

Non-Unix targets (including Windows and wasm) are unaffected.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in the updated, unaffected code.

Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3. series.

Workarounds

No workarounds are known.

References

time-rs/time#293

See advisory page for additional details.

Compilation fails due to deny(warnings)

error: missing documentation for macro
   --> src/macros.rs:106:1
    |
106 | macro_rules! sudo_io_static_fn {
    | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |
note: lint level defined here
   --> src/lib.rs:21:9
    |
21  | #![deny(warnings)]
    |         ^^^^^^^^
    = note: #[deny(missing_docs)] implied by #[deny(warnings)]

error: missing documentation for macro
   --> src/macros.rs:182:1
    |
182 | macro_rules! sudo_io_fn {
    | ^^^^^^^^^^^^^^^^^^^^^^^

error: aborting due to 2 previous errors

error: Could not compile `sudo_plugin`.

Using deny(warnings) is really bad idea since software would stop compiling after compiler update.

Please use -D warnings in CI instead.

Show who approved session

Right now sudo_pair does not show who approved/is watching the session, would be nice to have that in there.

failed to run custom build command for sudo_plugin-sys v1.2.1

The execution of cargo build --release went OK, until this message:

Compiling sudo_plugin-sys v1.2.1 (/home//git/sudo_pair/sudo_plugin-sys)
error: failed to run custom build command for sudo_plugin-sys v1.2.1 (/home//git/sudo_pair/sudo_plugin-sys)

Caused by:
process didn't exit successfully: /home/<me>/git/sudo_pair/target/release/build/sudo_plugin-sys-0d4f085cdf93c321/build-script-build (exit code: 101)
--- stderr
thread 'main' panicked at 'Unable to find libclang: "the libclang shared library at /usr/lib64/clang-private/libclang.so.7 could not be opened: libclangAST.so.7: cannot open shared object file: No such file or directory"', /home//.cargo/registry/src/github.com-1ecc6299db9ec823/bindgen-0.53.2/src/lib.rs:1956:13

The strange thing is that both of those files mentioned above is actually there:
ls -l /usr/lib64/clang-private/libclang.so.7 -rwxr-xr-x. 1 root root 558344 Jan 24 2019 /usr/lib64/clang-private/libclang.so.7 ls -l /home/<me>/.cargo/registry/src/github.com-1ecc6299db9ec823/bindgen-0.53.2/src/lib.rs -rw-rw-r--. 1 <me> <group> 80276 May 6 13:53 /home/<me>/.cargo/registry/src/github.com-1ecc6299db9ec823/bindgen-0.53.2/src/lib.rs

Any suggestions?

FYI:
I will suggest to add a list of less usual packages which needs to be installed. During the process I have done at least these:
yum install cargo llvm llvm-devel

Don't specify specific dependency versions in libraries

I think you should be as general as possible, and allow specific versions to be determined by users' Cargo.locks.

Wishlist: Session Logging

Hi, any plans on the roadmap to include logging into this? It would be great to have the session logged to a log management system or equivalent.

libsudopair.dylib Missing After Build

install -o root -g root -m 0644 ./target/release/libsudopair.dylib /usr/libexec/sudo

This line in the installation script fails because libsudopair.dylib does not exist. There are several .rlib items and I've tried installing them but nothing seems to put sudo_pair.so into /usr/libexec/sudo/

Allow termination/pause of monitored session

This looks great for monitoring what a user is doing but, should the person doing the monitoring determine that something bad is going on, they should be able to either pause the monitored person's ability to type or terminate the session immediately.

Default user message prompt has user pid and sudo pid swapped

Additionally, the command puts quotes around the pids, which isn't the correct command line signature

Demonstration of the bug(s):

User:

$ sudo ls
/usr/bin/sudo_approve '16378 3851'

Approver:

danielpops@dev :~/ [18:31:44]
# The command as-is does not match expected command line invocation
$ /usr/bin/sudo_approve '16378 3851'
Usage: sudo_approve uid pid

# Removing the quotes reveals the swapped order bug
danielpops@dev :~/ [18:31:54]
$ /usr/bin/sudo_approve 16378 3851
stat: cannot stat '/var/run/sudo_pair/16378.3851.sock': No such file or directory

# Swapping the order works as expected
danielpops@dev :~/ [18:31:58]
$ /usr/bin/sudo_approve 3851 16378                                        
You have been asked to approve and monitor the following sudo session:
[...]

square / sudo_pair Goto Github PK

sudo_pair's Introduction

sudo_pair

About

Installation

WARNING: Misconfiguring sudo can lock you out of your machine. Test this in a throwaway environment.

Configuration

/etc/sudoers

/etc/sudo.conf

Prompts

Approval Scripts

Limitations

Security Model

Project Layout

Dependencies

Contributions

Bugs

License

sudo_pair's People

Contributors

Stargazers

Watchers

Forkers

sudo_pair's Issues

Possible Alternative(s)

Impact

Patches

Workarounds

References

Recommend Projects

Recommend Topics

Recommend Org

`/etc/sudoers`

`/etc/sudo.conf`