Skip to content

sudo: properly allow wheel group to use sudo via visudo#6

Open
ljmf00 wants to merge 1 commit intoipleiria-labrob:masterfrom
ljmf00:fix-sudo
Open

sudo: properly allow wheel group to use sudo via visudo#6
ljmf00 wants to merge 1 commit intoipleiria-labrob:masterfrom
ljmf00:fix-sudo

Conversation

@ljmf00
Copy link
Copy Markdown
Member

@ljmf00 ljmf00 commented Nov 3, 2020

Signed-off-by: Luís Ferreira contact@lsferreira.net

The same approach on Arch Linux infrastructure https://git.archlinux.org/infrastructure.git/tree/roles/sudo/tasks/main.yml as sudoers file already has entries for what is done here previously. Also it's better to use visudo to edit /etc/sudoers.

This approach will unsure that running ansible twice won't break /etc/sudoers file.

@ljmf00
sudo: properly allow wheel group to use sudo via visudo
b8d0713 
Signed-off-by: Luís Ferreira <contact@lsferreira.net>
@ljmf00 ljmf00 requested a review from FFY00 November 3, 2020 13:53
FFY00
FFY00 approved these changes Nov 3, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@FFY00 FFY00 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please keep sudores.d support and just install a new file there with your config.

FFY00
FFY00 requested changes Nov 3, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@FFY00 FFY00 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry.

@ljmf00
Copy link
Copy Markdown
Member Author

ljmf00 commented Nov 3, 2020

Please keep sudores.d support and just install a new file there with your config.

The sudoers.d support is enabled by default on arch. The previous method mess some things up when running the ansible playbook.

This is what the default configuration looks like:


## Read drop-in files from /etc/sudoers.d
@includedir /etc/sudoers.d

So instead of modifying the sudoers, you propose to add the changes on /etc/sudoers.d seperate files?

@FFY00
Copy link
Copy Markdown
Member

FFY00 commented Nov 3, 2020

The sudoers.d support is enabled by default on arch.

Yes, but that can change anytime.

The previous method mess some things up when running the ansible playbook.

Could you elaborate?

So instead of modifying the sudoers, you propose to add the changes on /etc/sudoers.d seperate files?

Yes, that avoids all this regex complexity. Also, the current regex is easily breakable, if we go with the regex approach we should use something a bit better.

@ljmf00
Copy link
Copy Markdown
Member Author

ljmf00 commented Nov 3, 2020
edited
Loading

Yes, but that can change anytime.

Sure, then I propose to have our own sudoers template, instead.

Could you elaborate?

The problem I faced is because /etc/sudoers changed on a new update, and by adding includedir like this:

- name: enable sudoers.d support
  lineinfile:
    path: /etc/sudoers
    line: '#includedir /etc/sudoers.d'

With the new configuration, it will write something like:


## Read drop-in files from /etc/sudoers.d
@includedir /etc/sudoers.d
#includedir /etc/sudoers.d

And will include the files inside sudoers.d twice. See the error when running something with sudo:

/etc/sudoers.d/archbuild:5: Alias "ARCHBUILD" already defined
                       /usr/bin/makerepropkg

Yes, that avoids all this regex complexity. Also, the current regex is easily breakable, if we go with the regex approach we should use something a bit better.

Yeah agree.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FFY00 FFY00 FFY00 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ljmf00 @FFY00