added sudo
This commit is contained in:
Jonas Forsberg
parent
e9ad0938f8
commit
8f75ef9111
88
salt/states/files/sudoers
Normal file
88
salt/states/files/sudoers
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
## sudoers file.
|
||||||
|
##
|
||||||
|
## This file MUST be edited with the 'visudo' command as root.
|
||||||
|
## Failure to use 'visudo' may result in syntax or file permission errors
|
||||||
|
## that prevent sudo from running.
|
||||||
|
##
|
||||||
|
## See the sudoers man page for the details on how to write a sudoers file.
|
||||||
|
##
|
||||||
|
|
||||||
|
##
|
||||||
|
## Host alias specification
|
||||||
|
##
|
||||||
|
## Groups of machines. These may include host names (optionally with wildcards),
|
||||||
|
## IP addresses, network numbers or netgroups.
|
||||||
|
# Host_Alias WEBSERVERS = www1, www2, www3
|
||||||
|
|
||||||
|
##
|
||||||
|
## User alias specification
|
||||||
|
##
|
||||||
|
## Groups of users. These may consist of user names, uids, Unix groups,
|
||||||
|
## or netgroups.
|
||||||
|
# User_Alias ADMINS = millert, dowdy, mikef
|
||||||
|
|
||||||
|
##
|
||||||
|
## Cmnd alias specification
|
||||||
|
##
|
||||||
|
## Groups of commands. Often used to group related commands together.
|
||||||
|
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
|
||||||
|
# /usr/bin/pkill, /usr/bin/top
|
||||||
|
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
|
||||||
|
|
||||||
|
##
|
||||||
|
## Defaults specification
|
||||||
|
##
|
||||||
|
## Prevent environment variables from influencing programs in an
|
||||||
|
## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
|
||||||
|
Defaults always_set_home
|
||||||
|
## Path that will be used for every command run from sudo
|
||||||
|
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
Defaults env_reset
|
||||||
|
## Change env_reset to !env_reset in previous line to keep all environment variables
|
||||||
|
## Following list will no longer be nevessary after this change
|
||||||
|
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
||||||
|
## Comment out the preceding line and uncomment the following one if you need
|
||||||
|
## to use special input methods. This may allow users to compromise the root
|
||||||
|
## account if they are allowed to run commands without authentication.
|
||||||
|
#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
||||||
|
|
||||||
|
## Do not insult users when they enter an incorrect password.
|
||||||
|
Defaults !insults
|
||||||
|
|
||||||
|
## Uncomment to use a hard-coded PATH instead of the user's to find commands
|
||||||
|
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
##
|
||||||
|
## Uncomment to send mail if the user does not enter the correct password.
|
||||||
|
# Defaults mail_badpass
|
||||||
|
##
|
||||||
|
## Uncomment to enable logging of a command's output, except for
|
||||||
|
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
|
||||||
|
# Defaults log_output
|
||||||
|
# Defaults!/usr/bin/sudoreplay !log_output
|
||||||
|
# Defaults!REBOOT !log_output
|
||||||
|
|
||||||
|
## In the default (unconfigured) configuration, sudo asks for the root password.
|
||||||
|
## This allows use of an ordinary user account for administration of a freshly
|
||||||
|
## installed system. When configuring sudo, delete the two
|
||||||
|
## following lines:
|
||||||
|
#Defaults targetpw # ask for the password of the target user i.e. root
|
||||||
|
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
|
||||||
|
|
||||||
|
##
|
||||||
|
## Runas alias specification
|
||||||
|
##
|
||||||
|
|
||||||
|
##
|
||||||
|
## User privilege specification
|
||||||
|
##
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Uncomment to allow members of group wheel to execute any command
|
||||||
|
# %wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d
|
||||||
|
## (the '#' here does not indicate a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
22
salt/states/sudo.sls
Normal file
22
salt/states/sudo.sls
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
Configure sudoers:
|
||||||
|
file.managed:
|
||||||
|
- name: /etc/sudoers
|
||||||
|
- source: salt://files/sudoers
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: "0440"
|
||||||
|
|
||||||
|
add sudoers.d file for {{ pillar['username'] }}:
|
||||||
|
file.managed:
|
||||||
|
- name: /etc/sudoers.d/{{ pillar['username'] }}
|
||||||
|
- source: salt://files/user_sudo
|
||||||
|
- template: jinja
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 0640
|
||||||
|
|
||||||
|
remove root password:
|
||||||
|
cmd.run:
|
||||||
|
- name: usermod -p '!' root
|
||||||
|
- unless: '[[ $(grep root /etc/shadow | cut -f2 -d":") == "!" ]]'
|
||||||
|
|
||||||
@ -6,3 +6,4 @@ base:
|
|||||||
- vim
|
- vim
|
||||||
- firefox
|
- firefox
|
||||||
- borgbackup
|
- borgbackup
|
||||||
|
- sudo
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user