sudo_pair is a sudo plugin that ensure that if a user tries to get root privileges, he will need an authorization from a pair
- ops ›
sudo_pair is a sudo plugin that ensure that no user can act entirely on their own authority within these systems. Once configured if a user tries to get root privileges, he will need an authorization from a pair that will monitor over his session.
cd sudo-pair charm build
Add to an existing application using juju-info relation.
juju deploy ubuntu juju deploy ./sudo-pair juju add-unit ubuntu juju add-relation ubuntu sudo-pair
The user can configure the following parameters:
root): This is a comma-separated list of group names that sudo_pair will gate access to. If a user is sudoing to a user that is a member of one of these groups, they will be required to have a pair approve their session.
none): This is a comma-separated list of group names whose users will be exempted from the requirements of sudo_pair. Note that this is not the opposite of the groups_enforced flag. Whereas groups_enforced gates access to groups, groups_exempted exempts users sudoing from groups. For instance, this setting can be used to ensure that oncall sysadmins can respond to outages without needing to find a pair.
none): This is a comma-separated list of full path commands that have to be bypassed from sudo pairing
none): This is the unix group for which the commands specified through bypass_cmds will be bypassed from sudo pairing approval
true): If true, auto approval is permitted.
Unit tests has been developed to test templates rendering for
To run unit tests:
tox -e unit
Deploy tests has been developed using python-libjuju
To run tests using python-libjuju:
tox -e functional
BootStack Charmers firstname.lastname@example.org
- (boolean) If true, auto approval is permitted.
- (string) This is a comma-separated list of full path commands that have to be bypassed from sudo pairing
- (string) This is the unix group for which the commands will be bypassed from sudo pairing approval
- (string) Space separated list of extra deb packages to install.
- (string) This is a comma-separated list of group names that sudo_pair will gate access to.
- (string) This is a comma-separated list of group names whose users will be exempted from the requirements of sudo_pair
- (string) List of signing keys for install_sources package sources, per charmhelpers standard format (a yaml list of strings encoded as a string). The keys should be the full ASCII armoured GPG public keys. While GPG key ids are also supported and looked up on a keyserver, operators should be aware that this mechanism is insecure. null can be used if a standard package signing key is used that will already be installed on the machine, and for PPA sources where the package signing key is securely retrieved from Launchpad.
- (string) List of extra apt sources, per charm-helpers standard format (a yaml list of strings encoded as a string). Each source may be either a line that can be added directly to sources.list(5), or in the form ppa:<user>/<ppa-name> for adding Personal Package Archives, or a distribution component to enable.
- (string) The status of service-affecting packages will be set to this value in the dpkg database. Valid values are "install" and "hold".