diff options
| author | Emil Renner Berthing <esmil@labitat.dk> | 2020-02-29 18:41:44 +0100 |
|---|---|---|
| committer | Emil Renner Berthing <esmil@labitat.dk> | 2020-02-29 20:00:41 +0100 |
| commit | e2efdd3540a2d67d5ffd90411110902c7f336b1f (patch) | |
| tree | 528a25db6e720cb0641ebbeda793def56aad13b1 | |
| parent | 1efc14b28b9af25a1f4cea187c10963464bb5fe2 (diff) | |
| download | labitat-ansible-e2efdd3540a2d67d5ffd90411110902c7f336b1f.tar.gz labitat-ansible-e2efdd3540a2d67d5ffd90411110902c7f336b1f.tar.xz labitat-ansible-e2efdd3540a2d67d5ffd90411110902c7f336b1f.zip | |
fedora: sudo: update sudoers file
| -rw-r--r-- | roles/fedora/files/sudoers | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/roles/fedora/files/sudoers b/roles/fedora/files/sudoers index 069052c..088c9c0 100644 --- a/roles/fedora/files/sudoers +++ b/roles/fedora/files/sudoers @@ -30,7 +30,7 @@ # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb @@ -54,14 +54,38 @@ # Defaults !visiblepw +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +# Defaults always_query_group_plugin + Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple |