If you’ve done anything with a modern Linux system — including most variants for the Raspberry Pi — you probably know about sudo. This typically allows an authorized user to elevate themselves to superuser status to do things.
However, there is a problem. If you have sudo access, you can do anything — at least, anything the sudoers file allows you to do. But what about extremely critical operations? We’ve all seen the movies where launching the nuclear missile requires two keys counter-rotated at the same time and third firing key. Is there an equivalent for Linux systems?
It isn’t exactly a counter-rotating key, but the sudo_pair project — a prelease open-source project from Square — gives you something similar. The project is a plugin for sudo that allows you to have another user authorize a sudo request. Not only do they authorize it, but they get to see what is happening, and even abort it if something bad is happening.
Actually, sudo is a little more complicated than most people think. If you read the sudo manual, you can authorize certain users or groups to have very specific access, if you know how to set it up. You just don’t see it done very often. For example, you can allow a specific program to run as root for any user (or subset of users) without granting access to everything. That means sudo-pair wouldn’t have to be used for total root access. You could use it to monitor usage of specific critical applications.
The easiest way to understand exactly what’s going on is to watch the demo below which shows two users’ screens. One requests a sudo and the other approves it (click on it to view full size).
The system is pretty flexible, but because it is in prerelease there are a few steps to setting it up that you can follow in the project’s README. A script checks to make sure you are not trying to approve your own session and can do other custom processing. This leads to a chicken-and-egg problem. You need to protect that script, but people do need to be able to run it. The system allows your session to execute the script without a pair. There are other ways you can exempt certain things, too. For example, an on-call administrator group can be exempted. Note that root is always exempt, but you really shouldn’t have many people with full root authority, if you are dealing with things sensitive enough to need this.
The code is in Rust and there’s nothing prebuilt yet. This is a very useful feature if you have multiple users managing something important, but it is a little early for a production environment. In particular, as the project warns, misconfiguring sudo can lock you out of a machine, so tread lightly and — of course — you have backups. Right?
If you are running something critical, you really need to understand sudo and configure it with or without sudo-pair. It is possible to restrict operations at the user and group level and virtually no one should have complete root access. Even if you are the only user on your Raspberry Pi, if it is controlling something critical you should force a hacker to at least break multiple passwords to get through. You might even consider multifactor authentication. You can even pull that trick with an Arduino, oddly enough.