ci: enhance su command blocking test and policy enforcement

Author: mujing

.github/workflows/build-and-push.yml

@@ -274,10 +274,18 @@ jobs:
         timeout-minutes: 1
         run: |
           echo "Testing su command is blocked..."
-          if docker exec test-container bash -c "sudo su - root" 2>&1 | grep -q "sudo: su: command not found\|Sorry, user coder is not allowed to execute"; then
+          SU_OUTPUT=$(docker exec test-container bash -c "sudo -n /usr/bin/su - root -c 'whoami'" 2>&1 || true)
+          echo "sudo su output: $SU_OUTPUT"
+          
+          if echo "$SU_OUTPUT" | grep -q "^root$"; then
+            echo "::error::su command escalated to root; policy is broken"
+            exit 1
+          fi
+          
+          if echo "$SU_OUTPUT" | grep -Eq "not allowed to execute|command not found|a password is required|password is required|authentication is required"; then
             echo "✓ su command is properly blocked"
           else
-            echo "::error::su command is not blocked as expected"
+            echo "::error::Unexpected sudo/su behavior: $SU_OUTPUT"
             exit 1
           fi
 

Dockerfile

@@ -32,9 +32,11 @@ RUN mkdir -p /etc/apt/keyrings \
 
 # Layer 2: User permissions - sudo with su blocked
 RUN apt-get update && apt-get install -y --no-install-recommends sudo \
-    && echo "coder ALL=(ALL) NOPASSWD: ALL, !/usr/bin/su, !/bin/su" > /etc/sudoers.d/coder-nopasswd \
-    && chmod 440 /etc/sudoers.d/coder-nopasswd \
-    && visudo -c -f /etc/sudoers.d/coder-nopasswd \
+    && find /etc/sudoers.d -maxdepth 1 -type f -name '*coder*' -delete \
+    && echo "coder ALL=(ALL) NOPASSWD: ALL, !/usr/bin/su, !/bin/su" > /etc/sudoers.d/zz-coder-policy \
+    && chmod 440 /etc/sudoers.d/zz-coder-policy \
+    && visudo -c -f /etc/sudoers.d/zz-coder-policy \
+    && sudo -l -U coder | grep -Eq '!(/usr/bin/su|/bin/su)' \
     && rm -rf /var/lib/apt/lists/*
 
 # Layer 3: Go (pinned stable) with China mirror and tools