square · haikuginger · Jul 6, 2022 · Jul 6, 2022 · haikuginger · Jul 6, 2022
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM rust:latest AS base
+FROM rust:1.52.1 AS base
 
 ARG DEBIAN_FRONTEND=noninteractive
 

diff --git a/sample/etc/sudo_pair.prompt.user b/sample/etc/sudo_pair.prompt.user
@@ -2,6 +2,6 @@ Due to security and compliance requirements, this `sudo` session will require ap
 
 To continue, another human must run:
 
-    docker exec -it %h '%B %u %p'
+    docker exec -it %h %B %u %p
 
 If a suitable human is not available and you have an immediate and urgent need to run this command, you may run the above command to approve your own session. [1mNote that doing so will immediately page an oncall security engineer, so this capability should only be used in the event of an emergency.[0m
diff --git a/sample/etc/sudoers.d/sudo_pair b/sample/etc/sudoers.d/sudo_pair
@@ -1 +1 @@
-nobody ALL = (: games) NOPASSWD: LOG_OUTPUT: ALL
+games ALL = (nobody) NOPASSWD:LOG_OUTPUT:ALL
diff --git a/sudo_pair/README.md b/sudo_pair/README.md
@@ -262,6 +262,56 @@ goal to have a minimal set of dependencies. Currently, those are:
 * [rust-lang-nursery/failure][failure]
 * [dtolnay/thiserror][thiserror]
 
+## Manual Testing in Docker
+
+The behavior of `sudo_pair` can be tested using the included Docker image.
+
+First, build and launch the image. It does not have an entrypoint, so using
+the `-i` flag ensures it stays open, and the `-d` flag detaches from it.
+
+```
+docker build -t sudo-pair . && docker run -id --name sudo-pair sudo-pair
+```
+
+Now, you can attach to the image as the `games` user. In the configuration generated for
+this Docker image, `games` is granted the right to passwordlessly sudo as the `nobody` user;
+in turn, the `nobody` user is a member of the `nogroup` group, which triggers the `sudo_pair`
+enforcement mechanism:
+
+```
+docker exec -u games -it sudo-pair /bin/bash
+```
+
+Now that you're logged in as `games`, you can attempt to sudo as `nobody`, and see the `sudo_pair`
+flow:
+
+```
+sudo -u nobody /bin/bash
+```
+
+You'll be given a prompt like the one below explaining that another user must approve your sudo action:
+
+```
+Due to security and compliance requirements, this `sudo` session will require approval and monitoring.
+
+To continue, another human must run:
+
+    docker exec -it d263b8d24076 /usr/bin/sudo_approve 5 112
+
+If a suitable human is not available and you have an immediate and urgent need to run this command,
+you may run the above command to approve your own session. Note that doing so will immediately page
+an oncall security engineer, so this capability should only be used in the event of an emergency.
+```
+
+In another terminal, you can copy and paste the given command (which will implicitly run as root
+inside the container), and your session as `nobody` will be mirrored to both terminals once approved.
+
+To clean up the existing Docker environment before creating a new build, stop and remove the container:
+
+```
+docker stop sudo-pair && docker rm sudo-pair
+```
+
 ## Contributions
 
 Contributions are welcome! This project should hopefully be small
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		nobody ALL = (: games) NOPASSWD: LOG_OUTPUT: ALL
		games ALL = (nobody) NOPASSWD:LOG_OUTPUT:ALL
Copy link Collaborator Author haikuginger Jul 6, 2022 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. This might be wrong—I kind of reverse-engineered this from what seemed like the expected behavior for the environment; `nogroup` is the restricted-access group which triggers `sudo_pair`, and `nobody` is the member of that group that we want to sudo as. Doing it as `root` just automatically succeeds, so we need to do it with a different user (presumably `games`, although most users would work).