From 7e26fd1d0b1dc8ecea10bfacd96cf4e48236121b Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing <esmil@labitat.dk> Date: Thu, 27 Feb 2020 18:26:55 +0100 Subject: space_server: move sudo tasks to fedora role ..to align with debian role --- roles/fedora/files/sudoers | 96 +++++++++++++++++++++++++++++++++++++++ roles/fedora/tasks/main.yml | 2 + roles/fedora/tasks/sudo.yml | 11 +++++ roles/space_server/files/sudoers | 96 --------------------------------------- roles/space_server/tasks/main.yml | 2 - roles/space_server/tasks/sudo.yml | 11 ----- 6 files changed, 109 insertions(+), 109 deletions(-) create mode 100644 roles/fedora/files/sudoers create mode 100644 roles/fedora/tasks/sudo.yml delete mode 100644 roles/space_server/files/sudoers delete mode 100644 roles/space_server/tasks/sudo.yml (limited to 'roles') diff --git a/roles/fedora/files/sudoers b/roles/fedora/files/sudoers new file mode 100644 index 0000000..069052c --- /dev/null +++ b/roles/fedora/files/sudoers @@ -0,0 +1,96 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +# %wheel ALL=(ALL) ALL + +## Same thing without a password +%wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/roles/fedora/tasks/main.yml b/roles/fedora/tasks/main.yml index de4c160..e3f69a3 100644 --- a/roles/fedora/tasks/main.yml +++ b/roles/fedora/tasks/main.yml @@ -22,5 +22,7 @@ tags: timesyncd - import_tasks: sshd.yml tags: sshd +- import_tasks: sudo.yml + tags: sudo # vim: set ts=2 sw=2 et: diff --git a/roles/fedora/tasks/sudo.yml b/roles/fedora/tasks/sudo.yml new file mode 100644 index 0000000..7125a4b --- /dev/null +++ b/roles/fedora/tasks/sudo.yml @@ -0,0 +1,11 @@ +--- +- name: Install sudoers file + copy: + dest: '/etc/sudoers' + src: sudoers + owner: root + group: root + mode: 0440 + validate: visudo -cf %s + +# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/files/sudoers b/roles/space_server/files/sudoers deleted file mode 100644 index 069052c..0000000 --- a/roles/space_server/files/sudoers +++ /dev/null @@ -1,96 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -# %wheel ALL=(ALL) ALL - -## Same thing without a password -%wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml index 1c5ae7c..f4f89d6 100644 --- a/roles/space_server/tasks/main.yml +++ b/roles/space_server/tasks/main.yml @@ -9,8 +9,6 @@ tags: - fstab -- import_tasks: sudo.yml - tags: sudo - import_tasks: kernel.yml tags: kernel - import_tasks: gettys.yml diff --git a/roles/space_server/tasks/sudo.yml b/roles/space_server/tasks/sudo.yml deleted file mode 100644 index 7125a4b..0000000 --- a/roles/space_server/tasks/sudo.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Install sudoers file - copy: - dest: '/etc/sudoers' - src: sudoers - owner: root - group: root - mode: 0440 - validate: visudo -cf %s - -# vim: set ts=2 sw=2 et: -- cgit v1.2.1