Sudo security hole?


(Colin Thomas) #1

We have very sensitive fields that we have locked down using a user attribute.

This works well, but users with sudo permissions can sudo as a user with the required permissions and then see the sensitive data.

We don’t want to remove our Looker Superuser’s ability to sudo as they use it a lot to support their teams.

Can you limit which users a user can sudo as?
We could then only allow Superusers to sudo as their own team members.

Can you prevent fields from being displayed when the user is being sudoed?

We are aware that sudos are logged but this isn’t very accessible and we would have to setup a process to monitor this on a regular basis.

Any suggestions appreciated!

(Deepika) #2

Hi @Colin_Thomas

Thanks for passing on this feedback.
It is currently not possible to grant user/group specific sudo permissions, however will be happy to pass this valuable feedback on to the product team.

Will keep this thread posted if there is any progress wrt this topic in future.


(Ian) #3

We have this exact situation as well, being able to sudo as only people in your group(s) would be ideal.

(Sean Higgins) #4

@Colin_Thomas can you expand a bit on what you are having these Superusers do while sudo-ing as other users to support? Maybe we can suggest a different workflow that doesn’t require sudo-ing since it’s a security issue for you.

(Ian) #5

Without wanting to hijack I can share.
We have developers who develop user or group specific content and wish to see how it looks as those users or group of users - this is a generic dashboard which would behave differently for different users. They might also wish to see if a user has been put into the correct group or set of groups based on the results of content.

(Colin Thomas) #6

Our super-users use sudo to see reports as the end users would see it. Our developers do the same but for a wider range of users. This is to rule out any changes in permissions.
We actually need to limit the visibility of certain data fields to all users including the developers (except named individuals).
We also have an issue as Looker support staff also have Sudo permissions I believe.

(leticia.esparza) #7

Hey @Colin_Thomas,

We appreciate you taking the time to provide additional context about your use case. As of Looker 6.0, we now have a way to limit access to LookML elements such as fields by leveraging access grants. However, if users have the sudo permission, there is still that option for them to sudo as a user that does have access to these fields. I was sure to relay this point to the product team.

@IanT, I was also able to funnel your input to the team as well. Thanks again!