forked from evolix/ansible-roles
We decided a new policy for sudo in stretch because our previous stretch policy is buggy
This commit is contained in:
parent
f0ced31efa
commit
ab08969cfb
|
@ -35,14 +35,21 @@
|
||||||
update_password: on_create
|
update_password: on_create
|
||||||
when: loginisbusy.rc != 0 and uidisbusy.rc == 0
|
when: loginisbusy.rc != 0 and uidisbusy.rc == 0
|
||||||
|
|
||||||
- name: "Create {{ admin_users_group }}"
|
- name: "Create evolinux-sudo group"
|
||||||
|
group:
|
||||||
|
name: evolinux-sudo
|
||||||
|
system: yes
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: "Create {{ admin_users_group }} group"
|
||||||
group:
|
group:
|
||||||
name: "{{ admin_users_group }}"
|
name: "{{ admin_users_group }}"
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
- name: "Add user to sudo group (Debian 9 or later)"
|
- name: "Add user to sudo group (Debian 9 or later)"
|
||||||
user:
|
user:
|
||||||
name: '{{ user.name }}'
|
name: '{{ user.name }}'
|
||||||
groups: 'sudo,{{ admin_users_group }}'
|
groups: 'evolinux-sudo,{{ admin_users_group }}'
|
||||||
append: yes
|
append: yes
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
|
|
@ -5,4 +5,5 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
|
||||||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||||
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
||||||
|
|
||||||
%sudo ALL = NOPASSWD: MAINT
|
%evolinux-sudo ALL=(ALL:ALL) ALL
|
||||||
|
%evolinux-sudo ALL = NOPASSWD: MAINT
|
||||||
|
|
Loading…
Reference in a new issue