
Show HN: sudo_pair – dual control for sudo - stouset
https://github.com/square/sudo_pair
======
stouset
This is something I've spent a bunch of time on (on-and-off) during the past
year and a half to scratch a personal itch at work. I'm thrilled to finally be
able to release it publicly (thanks to Square for being so supportive in
this).

Long story short, it's how we implement dual control for sudo at Square. If
someone sudos to a privileged user or group, this plugin requires them to find
another engineer to approve the session. That engineer will then see a live
mirror of everything that happens during the privileged session.

Technically, it's surprisingly simple: sudo has a plugin mechanism which
allows you to log all terminal I/O, and the "meat" of it is basically just
copying all I/O to a socket and `socat`ing it on the other end. The rest is
all just enforcing security constraints, exposing sudo_plugin(8) facility in a
Rust-like wrapper, parsing all of the hundred-plus fields of metadata sent to
the plugin by sudo, and wrapping it up in a bow so I can share it with you
guys.

Please give me your feedback! I've released the plugin at a prerelease version
of 0.9.0; we're happy with it, but I want to solicit feedback from the
community and others who want to use it before officially stamping it as 1.0.

~~~
eps
In the screencap - whoami on the left shows 'stephen' and the shell on the
right also shows 'stephen', so ultimately it looks like 'stephen' ends up
approving his own sudo request, which defeats the whole purpose. I assume
that's not possible, but perhaps clarify this part?

~~~
stouset
Good catch. :)

It might be hard to read in the gif, but at Square, we actually allow users to
approve their own sessions. When this happens, it's logged in such a way that
an oncall infosec person is paged immediately. Users know not to do this
except in case of emergency; the whole point is to have an in-case-of-fire-
break-glass escape hatch during, e.g., a critical outage in the middle of the
night.

The logic for this[1] is currently in the approval script (and in the sample
one provided, it does deny access). However, I intend to make this a
responsibility of the plugin itself[2] shortly, where you can toggle between
denying and logging. Also, it's pretty easy to take the output from `socat`,
pipe it to GPG, and archive the session afterward, for forensic purposes. We
plan to do this latter part as well (possibly through the approval script,
possibly as a second plugin).

[1]:
[https://github.com/square/sudo_pair/blob/master/sample/bin/s...](https://github.com/square/sudo_pair/blob/master/sample/bin/sudo_approve#L75)

[2]:
[https://github.com/square/sudo_pair/blob/master/sudo_pair/sr...](https://github.com/square/sudo_pair/blob/master/sudo_pair/src/lib.rs#L133)

------
JackDanger
This is brilliant and I love that it relies almost entirely on Linux
primitives already in place.

