Tweak docker base image, approval script, and sudoers file; add Docker section to README #124
Conversation
…r section to README
|
|
| @@ -1,6 +1,6 @@ | |||
| # syntax=docker/dockerfile:1 | |||
|
|
|||
| FROM rust:latest AS base | |||
| FROM rust:1.52.1 AS base | |||
There was a problem hiding this comment.
Sometime between the last update and now, rust:latest started building the plugin in such a way that it causes a segfault when added to sudo.conf. Looking at bisecting that.
| @@ -2,6 +2,6 @@ Due to security and compliance requirements, this `sudo` session will require ap | |||
|
|
|||
| To continue, another human must run: | |||
|
|
|||
| docker exec -it %h '%B %u %p' | |||
| docker exec -it %h %B %u %p | |||
There was a problem hiding this comment.
Having the command and its params in quotes causes Docker to look for a file of that exact name, which then can't be found.
| @@ -1 +1 @@ | |||
| nobody ALL = (: games) NOPASSWD: LOG_OUTPUT: ALL | |||
| games ALL = (nobody) NOPASSWD:LOG_OUTPUT:ALL | |||
There was a problem hiding this comment.
This might be wrong—I kind of reverse-engineered this from what seemed like the expected behavior for the environment; nogroup is the restricted-access group which triggers sudo_pair, and nobody is the member of that group that we want to sudo as. Doing it as root just automatically succeeds, so we need to do it with a different user (presumably games, although most users would work).
No description provided.