@@ -1,31 +1,32 @@

 [![Build Status](https://travis-ci.org/cjdev/dual-control.svg?branch=master)](https://travis-ci.org/cjdev/dual-control)

 # Dual Control

-Dual Control is a PAM module that requires a user to input a generated token

-from another user before being granted resource access. The module also requires

-that the user input the reason for his or her access request and, via `syslog`,

-captures all this information for future reference.

-At **CJ Engineering**, we will be implementing Dual Control on our production

-boxes to ensure that a single engineer cannot use sudo to gain application-roles

-access without meeting the above-stated requirements.

+Dual Control is a PAM module that requires a user to input a generated token from another user before being

+granted resource access. The module also requires that the user input the reason for his or her access request

+and, via `syslog`, captures all this information for future reference.

-Dual Control is an open source project licensed under the

-[GNU General Public License](https://github.com/cjdev/dual-control/blob/master/LICENSE).

-As it stands, Dual Control is written only for machines running Linux. However,

-we graciously welcome contributions, particularly those related to portability

-to other operating systems.

+At **CJ Engineering**, we will be implementing Dual Control on our production boxes to ensure that a single

+engineer cannot use sudo to gain application-roles access without meeting the above-stated requirements.

+

+Dual Control is an open source project licensed under the [GNU General Public

+License](https://github.com/cjdev/dual-control/blob/master/LICENSE).  As it stands, Dual Control is written

+only for machines running Linux. However, we graciously welcome contributions, particularly those related to

+portability to other operating systems.

 ## Status

-This is in active development. The current version uses a permanent token and

-so is not meant for production use. The final version will use a time-based OTP.

+

+This is in active development. The current version uses a permanent token and so is not meant for production

+use. The final version will use a time-based OTP.

 ## Install

+

 - Obtain and install the RPM

   - build yourself using the code in https://github.com/cjdev/dual-control-rpm, or

   - get it from a developer

 - Edit the `/etc/pam.d/sudo`  (this is for CentOS 7, others may be different)

   - replace the existing auth lines with

+

 ```

 #%PAM-1.0

 # auth        include       system-auth

@@ -41,17 +42,21 @@ session     required      pam_limits.so

 ```

 ## Add a dual control token

-From the authorizer's account home, run `dual_control`. The resulting token can

-be used to authorize another user.

+

+From the authorizer's account home, run `setup_user_account.sh`. This generates a secret key for TOTP

+authentication and, if you have qrencode installed, generates a QR code to scan.  Scan or enter this key in

+your authenticator app and then verify that the token in your app matches the one on the screen (answer Y to

+the prompt to get a more recent token).

 ## Use

-- log in with a test user that has `sudo` ability (not the vagrant account it is too

-powerful)

+

+- log in with a test user that has `sudo` ability (not the vagrant account it is too powerful)

 - type `sudo bash`

 - enter your password

 - enter dual control token, authorizer's username + ':' + authorizer's token

 ## Build and test

+

 - ./configure

 - make

 - make test

@@ -190,10 +190,13 @@ private:

     }

-    uint8_t get_next_input(reverse_map &lookup_table, std::string &input, std::string::size_type idx) const {

+    uint8_t get_next_input (reverse_map &lookup_table, std::string &input,

+                            std::string::size_type idx) const

+    {

         character_type character = input[idx];

-        if (character != '=' && lookup_table.find(character) == lookup_table.end()) {

+        if (character != '='

+            && lookup_table.find (character) == lookup_table.end()) {

             throw invalid_data_exception ();

         }

@@ -215,7 +218,7 @@ public:

             uint8_t start_bit = bits_written % 8;

             std::vector<unsigned char>::size_type current_byte = bits_written/8;

-            uint8_t val = get_next_input(lookup_table, input, idx);

+            uint8_t val = get_next_input (lookup_table, input, idx);

             set_vector_at_bit (result, val, current_byte, start_bit, 5);

             bits_written += 5;

@@ -231,3 +234,4 @@ template class std::vector<unsigned char>;

 base32::base32 ():

     delegate_ (std::make_shared<base32_impl> ())

 {}

+

@@ -48,3 +48,4 @@ public:

 };

 #endif

+

@@ -65,6 +65,7 @@ int decode_validates_input()

     base32 codec = base32();

     int num_exceptions = 0;

+

     try {

         codec.decode ("A");

         codec.decode ("AAAAAAAAA");

@@ -80,7 +81,7 @@ int decode_validates_input()

         num_exceptions++;

     }

-    check(num_exceptions == 2, "base32.decode should validate input data");

+    check (num_exceptions == 2, "base32.decode should validate input data");

     succeed();

 }

@@ -117,3 +118,4 @@ int main (int argc, char *argv[])

 {

     return !run_tests();

 }

+

@@ -1,3 +1,14 @@

+/* Copyright (C) CJ Affiliate

+ *

+ * You may use, distribute and modify this code under  the

+ * terms of the  GNU General Public License  version 2  or

+ * later.

+ *

+ * You should have received a copy of the license with this

+ * file. If not, you will find a copy in the "LICENSE" file

+ * at https://github.com/cjdev/dual-control.

+ */

+

 #ifndef _BECOME_H

 #define _BECOME_H

@@ -6,20 +17,21 @@

 class become

 {

- private:

+private:

     unistd unistd_;

- public:

- become(user user, unistd &unistd) :

-    unistd_ (unistd)

+public:

+    become (user user, unistd &unistd) :

+        unistd_ (unistd)

     {

         uid_t uid = user.uid();

-        unistd_.seteuid(uid);

+        unistd_.seteuid (uid);

     }

     ~become()

     {

-        unistd_.seteuid(0);

+        unistd_.seteuid (0);

     }

 };

 #endif

+

@@ -1,3 +1,14 @@

+/* Copyright (C) CJ Affiliate

+ *

+ * You may use, distribute and modify this code under  the

+ * terms of the  GNU General Public License  version 2  or

+ * later.

+ *

+ * You should have received a copy of the license with this

+ * file. If not, you will find a copy in the "LICENSE" file

+ * at https://github.com/cjdev/dual-control.

+ */

+

 #include "become.h"

 #include "sys_unistd.h"

 #include "sys_pwd.h"

@@ -43,9 +54,10 @@ public:

 int become_calls_seteuid_with_right_arguments ()

 {

     uid_t expected_uid = 1000;

-    std::shared_ptr<mock_unistd> mock_unistd  = share (new class mock_unistd(expected_uid));

+    std::shared_ptr<mock_unistd> mock_unistd  = share (new class mock_unistd (

+                expected_uid));

     unistd fake_unistd (mock_unistd);

-    user fake_user (share (new class fake_user(expected_uid)));

+    user fake_user (share (new class fake_user (expected_uid)));

     become become_ (fake_user, fake_unistd);

@@ -64,3 +76,4 @@ int main (int argc, char *argv[])

 {

     return !run_tests();

 }

+

@@ -76,3 +76,4 @@ dual_control dual_control::create (const dual_control_configuration

     return dual_control (std::shared_ptr<dual_control_ifc> (new impl (

                              configuration)));

 }

+

@@ -72,3 +72,4 @@ PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags, int argc,

 {

     return dc.setcred (pam_request ( pamh, flags, argc, argv));

 }

+

@@ -95,8 +95,9 @@ private:

                       size_t data_size, const int digits=6) const

     {

         // TODO: see if I can use sha256/etc. with google auth...

-        const unsigned char *digest = HMAC (EVP_sha1(), key.data(), key.size(), data,

-                                      data_size, NULL, NULL);

+        const unsigned char *digest = HMAC (EVP_sha1(), key.data(), key.size(),

+                                            data,

+                                            data_size, NULL, NULL);

         if (digest == nullptr) {

             throw hmac_failed_exception();

@@ -137,3 +138,4 @@ totp_generator::totp_generator (

     const int code_digits) :

     delegate_ (std::make_shared<token_generator_impl> (clock, code_digits))

 {}

+

@@ -56,3 +56,4 @@ public:

 };

 #endif

+

@@ -192,3 +192,4 @@ int main (int argc, char *argv[])

 {

     return !run_tests();

 }

+

@@ -62,3 +62,4 @@ installer installer::create (const tokens &tokens, const unistd &unistd,

     return installer (std::make_shared<impl> (tokens, unistd, directory,

                       generator));

 }

+

@@ -211,3 +211,4 @@ int main (int argc, char *argv[])

 {

     return !run_tests();

 }

+

@@ -25,9 +25,9 @@ public:

     {

         return ::getlogin();

     }

-    virtual int seteuid(uid_t euid) const override

+    virtual int seteuid (uid_t euid) const override

     {

-        return ::seteuid(euid);

+        return ::seteuid (euid);

     };

 };

 }

@@ -37,3 +37,4 @@ unistd unistd::create()

     static unistd sys_unistd (unistd::delegate (new impl));

     return sys_unistd;

 }

+

@@ -28,7 +28,7 @@ public:

     {

         return "";

     }

-    virtual int seteuid(uid_t euid) const

+    virtual int seteuid (uid_t euid) const

     {

         return -1;

     };

@@ -54,9 +54,9 @@ public:

     {

         return delegate_->getlogin();

     }

-    int seteuid(uid_t euid) const

+    int seteuid (uid_t euid) const

     {

-        return delegate_->seteuid(euid);

+        return delegate_->seteuid (euid);

     };

     static unistd create();

 };

@@ -64,3 +64,4 @@ public:

 template class std::shared_ptr<unistd_ifc>;

 #endif

+

@@ -118,3 +118,4 @@ tokens tokens::create (const fstreams &fstreams,

     return tokens (tokens::delegate

                    (new tokens_impl (fstreams, generator, rand)));

 }

+

@@ -333,3 +333,4 @@ int main (int argc, char *argv[])

 {

     return !run_tests();

 }

+

@@ -1,8 +1,19 @@

+/* Copyright (C) CJ Affiliate

+ *

+ * You may use, distribute and modify this code under  the

+ * terms of the  GNU General Public License  version 2  or

+ * later.

+ *

+ * You should have received a copy of the license with this

+ * file. If not, you will find a copy in the "LICENSE" file

+ * at https://github.com/cjdev/dual-control.

+ */

+

 #ifndef TYPEALIASEES_H_

 #define TYPEALIASEES_H_

 #include <vector>

 using octet_vector = typename std::vector<uint8_t>;

-

 #endif

+

@@ -87,3 +87,4 @@ directory directory::create (unistd &unistd, pwd &pwd)

 {

     return directory (delegate (new directory_impl (unistd, pwd)));

 }

+

@@ -90,3 +90,4 @@ public:

 };

 #endif

+

@@ -56,7 +56,7 @@ public:

         }

         auto user_ = found_user[0];

-        become become_(user_, unistd_);

+        become become_ (user_, unistd_);

         std::string user_token = tokens_.token (user_);

         return user_token == token;

@@ -68,6 +68,8 @@ validator validator::create (const directory &directory,

                              const tokens &tokens,

                              const unistd &unistd)

 {

-    std::shared_ptr<validator_ifc> delegate (new impl (directory, tokens, unistd));

+    std::shared_ptr<validator_ifc> delegate (new impl (directory, tokens,

+            unistd));

     return validator (delegate);

 }

+

@@ -56,3 +56,4 @@ public:

 };

 #endif

+

@@ -36,7 +36,7 @@ public:

     int seteuid (uid_t euid) const override

     {

-        actual_uids.push_back(euid);

+        actual_uids.push_back (euid);

         return (euid == expected_euid_ || euid == 0) ? 0 : -1;

     }

 };

@@ -60,7 +60,8 @@ private:

     std::string user_name_;

     uid_t uid_;

 public:

-    fake_directory (const std::string &user_name, const uid_t uid = -1) : user_name_ (user_name), uid_ (uid)

+    fake_directory (const std::string &user_name,

+                    const uid_t uid = -1) : user_name_ (user_name), uid_ (uid)

     {

     }

     fake_directory() : user_name_ ("_NOT_A_USER") {}

@@ -70,7 +71,7 @@ public:

         std::vector<user> result;

         if (user_name == user_name_) {

-            result.push_back (user(share (new fake_user (uid_))));

+            result.push_back (user (share (new fake_user (uid_))));

         }

         return result;

@@ -101,7 +102,8 @@ bool validator_validates()

     uid_t expected_uid = 1000;

     directory directory (share (new fake_directory (user_name, expected_uid)));

-    std::shared_ptr<mock_unistd> mock_unistd = share (new class mock_unistd(expected_uid));

+    std::shared_ptr<mock_unistd> mock_unistd = share (new class mock_unistd (

+                expected_uid));

     class unistd unistd (mock_unistd);

     validator validator = validator::create (directory, tokens, unistd);

     std::vector<uid_t> expected_uids {expected_uid, 0};

@@ -111,7 +113,8 @@ bool validator_validates()

     // then

     check (actual, "should be valid");

-    check (mock_unistd->actual_uids == expected_uids, "should drop permissions");

+    check (mock_unistd->actual_uids == expected_uids,

+           "should drop permissions");

     succeed();

 }

@@ -234,3 +237,4 @@ int main (int argc, char *argv[])

 {

     return !run_tests();

 }

+