We decided a new policy for sudo in stretch because our previous stretch policy is buggy

2017-08-22 00:29:29 +02:00 · 2017-08-22 00:29:29 +02:00 · ab08969cfb
parent f0ced31efa
commit ab08969cfb
2 changed files with 11 additions and 3 deletions
--- a/admin-users/tasks/user.yml
+++ b/admin-users/tasks/user.yml
@ -35,14 +35,21 @@
   update_password: on_create
  when: loginisbusy.rc != 0 and uidisbusy.rc == 0

- name: "Create {{ admin_users_group }}"
+- name: "Create evolinux-sudo group"
+  group:
+    name: evolinux-sudo
+    system: yes
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: "Create {{ admin_users_group }} group"
  group:
    name: "{{ admin_users_group }}"
+  when: ansible_distribution_major_version | version_compare('9', '>=')

 - name: "Add user to sudo group (Debian 9 or later)"
  user:
    name: '{{ user.name }}'
-    groups: 'sudo,{{ admin_users_group }}'
+    groups: 'evolinux-sudo,{{ admin_users_group }}'
    append: yes
  when: ansible_distribution_major_version | version_compare('9', '>=')

--- a/admin-users/templates/sudoers_stretch.j2
+++ b/admin-users/templates/sudoers_stretch.j2
@ -5,4 +5,5 @@ Cmnd_Alias      MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
 nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt

-%sudo           ALL = NOPASSWD: MAINT
+%evolinux-sudo  ALL=(ALL:ALL) ALL
+%evolinux-sudo  ALL = NOPASSWD: MAINT