From 6482720e07eaa20364a2fc1c736db84df398097c Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 22:53:32 -0500 Subject: [PATCH] First pass fix the sudo files for EL Signed-off-by: Jason Rothstein --- .../10/9/etc/dnf/protected.d/sudo.conf | 1 - templates/AlmaLinux/10/9/etc/pam.d/sudo | 5 - templates/AlmaLinux/10/9/etc/pam.d/sudo-i | 6 - templates/AlmaLinux/10/9/etc/sudo.conf | 124 ------------------ templates/AlmaLinux/10/9/etc/sudoers | 120 ----------------- .../10/9/etc/sudoers.d/session_log.j2 | 6 - templates/AlmaLinux/10/etc/pam.d/sudo | 2 - templates/AlmaLinux/10/etc/sudo.conf | 35 ++--- templates/AlmaLinux/10/etc/sudoers | 4 +- .../8/9/etc/dnf/protected.d/sudo.conf | 1 - templates/AlmaLinux/8/9/etc/pam.d/sudo | 5 - templates/AlmaLinux/8/9/etc/pam.d/sudo-i | 6 - templates/AlmaLinux/8/9/etc/sudo.conf | 124 ------------------ templates/AlmaLinux/8/9/etc/sudoers | 120 ----------------- .../8/9/etc/sudoers.d/session_log.j2 | 6 - templates/AlmaLinux/8/etc/pam.d/sudo | 2 - templates/AlmaLinux/8/etc/sudo.conf | 35 ++--- templates/AlmaLinux/8/etc/sudoers | 4 +- .../9/9/etc/dnf/protected.d/sudo.conf | 1 - templates/AlmaLinux/9/9/etc/pam.d/sudo | 5 - templates/AlmaLinux/9/9/etc/pam.d/sudo-i | 6 - templates/AlmaLinux/9/9/etc/sudo.conf | 124 ------------------ templates/AlmaLinux/9/9/etc/sudoers | 120 ----------------- .../9/9/etc/sudoers.d/session_log.j2 | 6 - templates/AlmaLinux/9/etc/pam.d/sudo | 2 - templates/AlmaLinux/9/etc/sudo.conf | 35 ++--- templates/AlmaLinux/9/etc/sudoers | 4 +- templates/OracleLinux/10/etc/pam.d/sudo | 2 - templates/OracleLinux/10/etc/sudo.conf | 35 ++--- templates/OracleLinux/10/etc/sudoers | 4 +- templates/OracleLinux/8/etc/pam.d/sudo | 2 - templates/OracleLinux/8/etc/sudo.conf | 35 ++--- templates/OracleLinux/8/etc/sudoers | 4 +- templates/OracleLinux/9/etc/pam.d/sudo | 2 - templates/OracleLinux/9/etc/sudo.conf | 35 ++--- templates/OracleLinux/9/etc/sudoers | 4 +- templates/Rocky/10/etc/pam.d/sudo | 2 - templates/Rocky/10/etc/sudo.conf | 35 ++--- templates/Rocky/10/etc/sudoers | 4 +- templates/Rocky/8/etc/pam.d/sudo | 2 - templates/Rocky/8/etc/sudo.conf | 35 ++--- templates/Rocky/8/etc/sudoers | 4 +- templates/Rocky/9/etc/pam.d/sudo | 2 - templates/Rocky/9/etc/sudo.conf | 35 ++--- templates/Rocky/9/etc/sudoers | 4 +- 45 files changed, 144 insertions(+), 1011 deletions(-) delete mode 100644 templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/AlmaLinux/10/9/etc/pam.d/sudo delete mode 100644 templates/AlmaLinux/10/9/etc/pam.d/sudo-i delete mode 100644 templates/AlmaLinux/10/9/etc/sudo.conf delete mode 100644 templates/AlmaLinux/10/9/etc/sudoers delete mode 100644 templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 delete mode 100644 templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/AlmaLinux/8/9/etc/pam.d/sudo delete mode 100644 templates/AlmaLinux/8/9/etc/pam.d/sudo-i delete mode 100644 templates/AlmaLinux/8/9/etc/sudo.conf delete mode 100644 templates/AlmaLinux/8/9/etc/sudoers delete mode 100644 templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 delete mode 100644 templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/AlmaLinux/9/9/etc/pam.d/sudo delete mode 100644 templates/AlmaLinux/9/9/etc/pam.d/sudo-i delete mode 100644 templates/AlmaLinux/9/9/etc/sudo.conf delete mode 100644 templates/AlmaLinux/9/9/etc/sudoers delete mode 100644 templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 diff --git a/templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/AlmaLinux/10/9/etc/pam.d/sudo b/templates/AlmaLinux/10/9/etc/pam.d/sudo deleted file mode 100644 index fcb7a46..0000000 --- a/templates/AlmaLinux/10/9/etc/pam.d/sudo +++ /dev/null @@ -1,5 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session include system-auth diff --git a/templates/AlmaLinux/10/9/etc/pam.d/sudo-i b/templates/AlmaLinux/10/9/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/AlmaLinux/10/9/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/AlmaLinux/10/9/etc/sudo.conf b/templates/AlmaLinux/10/9/etc/sudo.conf deleted file mode 100644 index 27ccc72..0000000 --- a/templates/AlmaLinux/10/9/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so -Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/10/9/etc/sudoers b/templates/AlmaLinux/10/9/etc/sudoers deleted file mode 100644 index 93e02ba..0000000 --- a/templates/AlmaLinux/10/9/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/AlmaLinux/10/etc/pam.d/sudo b/templates/AlmaLinux/10/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/AlmaLinux/10/etc/pam.d/sudo +++ b/templates/AlmaLinux/10/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/AlmaLinux/10/etc/sudo.conf b/templates/AlmaLinux/10/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/AlmaLinux/10/etc/sudo.conf +++ b/templates/AlmaLinux/10/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/AlmaLinux/10/etc/sudoers b/templates/AlmaLinux/10/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/AlmaLinux/10/etc/sudoers +++ b/templates/AlmaLinux/10/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/AlmaLinux/8/9/etc/pam.d/sudo b/templates/AlmaLinux/8/9/etc/pam.d/sudo deleted file mode 100644 index fcb7a46..0000000 --- a/templates/AlmaLinux/8/9/etc/pam.d/sudo +++ /dev/null @@ -1,5 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session include system-auth diff --git a/templates/AlmaLinux/8/9/etc/pam.d/sudo-i b/templates/AlmaLinux/8/9/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/AlmaLinux/8/9/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/AlmaLinux/8/9/etc/sudo.conf b/templates/AlmaLinux/8/9/etc/sudo.conf deleted file mode 100644 index 27ccc72..0000000 --- a/templates/AlmaLinux/8/9/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so -Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/8/9/etc/sudoers b/templates/AlmaLinux/8/9/etc/sudoers deleted file mode 100644 index 93e02ba..0000000 --- a/templates/AlmaLinux/8/9/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/AlmaLinux/8/etc/pam.d/sudo b/templates/AlmaLinux/8/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/AlmaLinux/8/etc/pam.d/sudo +++ b/templates/AlmaLinux/8/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/AlmaLinux/8/etc/sudo.conf b/templates/AlmaLinux/8/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/AlmaLinux/8/etc/sudo.conf +++ b/templates/AlmaLinux/8/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/AlmaLinux/8/etc/sudoers b/templates/AlmaLinux/8/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/AlmaLinux/8/etc/sudoers +++ b/templates/AlmaLinux/8/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/AlmaLinux/9/9/etc/pam.d/sudo b/templates/AlmaLinux/9/9/etc/pam.d/sudo deleted file mode 100644 index fcb7a46..0000000 --- a/templates/AlmaLinux/9/9/etc/pam.d/sudo +++ /dev/null @@ -1,5 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session include system-auth diff --git a/templates/AlmaLinux/9/9/etc/pam.d/sudo-i b/templates/AlmaLinux/9/9/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/AlmaLinux/9/9/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/AlmaLinux/9/9/etc/sudo.conf b/templates/AlmaLinux/9/9/etc/sudo.conf deleted file mode 100644 index 27ccc72..0000000 --- a/templates/AlmaLinux/9/9/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so -Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/9/9/etc/sudoers b/templates/AlmaLinux/9/9/etc/sudoers deleted file mode 100644 index 93e02ba..0000000 --- a/templates/AlmaLinux/9/9/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/AlmaLinux/9/etc/pam.d/sudo b/templates/AlmaLinux/9/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/AlmaLinux/9/etc/pam.d/sudo +++ b/templates/AlmaLinux/9/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/AlmaLinux/9/etc/sudo.conf b/templates/AlmaLinux/9/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/AlmaLinux/9/etc/sudo.conf +++ b/templates/AlmaLinux/9/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/AlmaLinux/9/etc/sudoers b/templates/AlmaLinux/9/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/AlmaLinux/9/etc/sudoers +++ b/templates/AlmaLinux/9/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/OracleLinux/10/etc/pam.d/sudo b/templates/OracleLinux/10/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/OracleLinux/10/etc/pam.d/sudo +++ b/templates/OracleLinux/10/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/OracleLinux/10/etc/sudo.conf b/templates/OracleLinux/10/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/OracleLinux/10/etc/sudo.conf +++ b/templates/OracleLinux/10/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/OracleLinux/10/etc/sudoers b/templates/OracleLinux/10/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/OracleLinux/10/etc/sudoers +++ b/templates/OracleLinux/10/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/OracleLinux/8/etc/pam.d/sudo b/templates/OracleLinux/8/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/OracleLinux/8/etc/pam.d/sudo +++ b/templates/OracleLinux/8/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/OracleLinux/8/etc/sudo.conf b/templates/OracleLinux/8/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/OracleLinux/8/etc/sudo.conf +++ b/templates/OracleLinux/8/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/OracleLinux/8/etc/sudoers b/templates/OracleLinux/8/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/OracleLinux/8/etc/sudoers +++ b/templates/OracleLinux/8/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/OracleLinux/9/etc/pam.d/sudo b/templates/OracleLinux/9/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/OracleLinux/9/etc/pam.d/sudo +++ b/templates/OracleLinux/9/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/OracleLinux/9/etc/sudo.conf b/templates/OracleLinux/9/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/OracleLinux/9/etc/sudo.conf +++ b/templates/OracleLinux/9/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/OracleLinux/9/etc/sudoers b/templates/OracleLinux/9/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/OracleLinux/9/etc/sudoers +++ b/templates/OracleLinux/9/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/Rocky/10/etc/pam.d/sudo b/templates/Rocky/10/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/Rocky/10/etc/pam.d/sudo +++ b/templates/Rocky/10/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/Rocky/10/etc/sudo.conf b/templates/Rocky/10/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/Rocky/10/etc/sudo.conf +++ b/templates/Rocky/10/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/Rocky/10/etc/sudoers b/templates/Rocky/10/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/Rocky/10/etc/sudoers +++ b/templates/Rocky/10/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/Rocky/8/etc/pam.d/sudo b/templates/Rocky/8/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/Rocky/8/etc/pam.d/sudo +++ b/templates/Rocky/8/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/Rocky/8/etc/sudo.conf b/templates/Rocky/8/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/Rocky/8/etc/sudo.conf +++ b/templates/Rocky/8/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/Rocky/8/etc/sudoers b/templates/Rocky/8/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/Rocky/8/etc/sudoers +++ b/templates/Rocky/8/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/Rocky/9/etc/pam.d/sudo b/templates/Rocky/9/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/Rocky/9/etc/pam.d/sudo +++ b/templates/Rocky/9/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/Rocky/9/etc/sudo.conf b/templates/Rocky/9/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/Rocky/9/etc/sudo.conf +++ b/templates/Rocky/9/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/Rocky/9/etc/sudoers b/templates/Rocky/9/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/Rocky/9/etc/sudoers +++ b/templates/Rocky/9/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple