Simplify sudoers recommendation

[timmc-edx]

The codejail docs currently recommend the following sudoers file:

<SANDBOX_CALLER> ALL=(sandbox) SETENV:NOPASSWD:<SANDENV>/bin/python
<SANDBOX_CALLER> ALL=(sandbox) SETENV:NOPASSWD:/usr/bin/find
<SANDBOX_CALLER> ALL=(ALL) NOPASSWD:/usr/bin/pkill

There are a few warts here:

• Allowing the app user to run find as the sandbox user is equivalent to allowing the app user to run anything as the sandbox user, because find allows running arbitrary code.
  • The only reason find is included is because the sandbox user might create files the app user can't delete, so we run find ... -exec rm -rf ... as sandbox.
• SETENV is set for both python and find, but it doesn't appear to be necessary for either. (In fact, the recommended AppArmor profile then disallows propagating the environment to the python execution.)
• The app user is allowed to call kill as any user, not just the sandbox user.

Given that the app user has strictly more capabilities than the sandbox user in the first place, it might make more sense to just have this sudoers file:

<SANDBOX_CALLER> ALL=(sandbox) NOPASSWD:ALL

Alternatively, if we want to restrict arbitrary code execution as the sandbox user to always be under AppArmor confinement, we might want something like this, and then use the sandboxed python executable for any cleanup, allowing us to get rid of the find call:

<SANDBOX_CALLER> ALL=(sandbox) NOPASSWD:<SANDENV>/bin/python
<SANDBOX_CALLER> ALL=(sandbox) NOPASSWD:/usr/bin/pkill