Simplify sudoers recommendation #230
Description
The codejail docs currently recommend the following sudoers file:
<SANDBOX_CALLER> ALL=(sandbox) SETENV:NOPASSWD:<SANDENV>/bin/python
<SANDBOX_CALLER> ALL=(sandbox) SETENV:NOPASSWD:/usr/bin/find
<SANDBOX_CALLER> ALL=(ALL) NOPASSWD:/usr/bin/pkill
There are a few warts here:
- Allowing the app user to run
findas the sandbox user is equivalent to allowing the app user to run anything as the sandbox user, becausefindallows running arbitrary code.- The only reason
findis included is because the sandbox user might create files the app user can't delete, so we runfind ... -exec rm -rf ...as sandbox.
- The only reason
SETENVis set for bothpythonandfind, but it doesn't appear to be necessary for either. (In fact, the recommended AppArmor profile then disallows propagating the environment to the python execution.)- The app user is allowed to call kill as any user, not just the sandbox user.
Given that the app user has strictly more capabilities than the sandbox user in the first place, it might make more sense to just have this sudoers file:
<SANDBOX_CALLER> ALL=(sandbox) NOPASSWD:ALL
Alternatively, if we want to restrict arbitrary code execution as the sandbox user to always be under AppArmor confinement, we might want something like this, and then use the sandboxed python executable for any cleanup, allowing us to get rid of the find call:
<SANDBOX_CALLER> ALL=(sandbox) NOPASSWD:<SANDENV>/bin/python
<SANDBOX_CALLER> ALL=(sandbox) NOPASSWD:/usr/bin/pkill