Sudo Pair

juju deploy sudo-pair

20.04 LTS 18.04 LTS 16.04 LTS

Discuss this charm

Share your thoughts on this charm with the community on discourse.

Join the discussion

Overview

sudo_pair is a sudo plugin that ensure that no user can act entirely on their own authority within these systems. Once configured if a user tries to get root privileges, he will need an authorization from a pair that will monitor over his session.

Build

cd sudo-pair
charm build

Usage

Add to an existing application using juju-info relation.

Example:

juju deploy ubuntu
juju deploy ./sudo-pair
juju add-unit ubuntu
juju add-relation ubuntu sudo-pair

Configuration

The user can configure the following parameters:

  • groups_enforced (default: root): This is a comma-separated list of group names that sudo_pair will gate access to. If a user is sudoing to a user that is a member of one of these groups, they will be required to have a pair approve their session.
  • groups_exempted(default: none): This is a comma-separated list of group names whose users will be exempted from the requirements of sudo_pair. Note that this is not the opposite of the groups_enforced flag. Whereas groups_enforced gates access to groups, groups_exempted exempts users sudoing from groups. For instance, this setting can be used to ensure that oncall sysadmins can respond to outages without needing to find a pair.
  • bypass_cmds (default: none): This is a comma-separated list of full path commands that have to be bypassed from sudo pairing
  • bypass_group (default: none): This is the unix group for which the commands specified through bypass_cmds will be bypassed from sudo pairing approval
  • auto_approve (default: true): If true, auto approval is permitted.

Testing

Unit tests has been developed to test templates rendering for sudo.conf, sudoers.d/91-bypass-sudopair-cmds, sudo_approve

To run unit tests:

tox -e unit

Deploy tests has been developed using python-libjuju

To run tests using python-libjuju:

tox -e functional

Contact Information

BootStack Charmers bootstack-charmers@lists.canonical.com