Compare commits
42 Commits
539b7449e4
...
395eab01c1
| Author | SHA1 | Date | |
|---|---|---|---|
|
395eab01c1
|
|||
| 568c8cbfcb | |||
|
50a7fc890b
|
|||
|
6482720e07
|
|||
|
28bb67975e
|
|||
|
39e701a0bf
|
|||
|
c729488227
|
|||
|
193211d349
|
|||
|
1a64c362be
|
|||
|
dc6c08c0e5
|
|||
|
b1dc671bfb
|
|||
|
4fed9b890a
|
|||
|
0c5e392b05
|
|||
|
113904a846
|
|||
|
7fd1b46cdc
|
|||
|
9646e3da30
|
|||
|
1114295b03
|
|||
|
0c312ee0ad
|
|||
| d6b0136276 | |||
| 01481b534e | |||
| 0a788d5c4e | |||
| 45434263c7 | |||
| 55e38f3370 | |||
| de222f0b71 | |||
| 8de48b63e3 | |||
| 2423792139 | |||
| 6f4c0451aa | |||
| bb980765cb | |||
| ad92ecfd9c | |||
| 4a889a31bc | |||
| bdd06e2d44 | |||
| 38fbd29350 | |||
| 8bb7f19527 | |||
| 87b2934cba | |||
| 8147f41d6f | |||
| 329e5bd68e | |||
| 9f589ee5ce | |||
| 4e58508b8e | |||
| f6031f74d1 | |||
| ea082eab65 | |||
| fcba030a5b | |||
| 31ae9def96 |
@@ -0,0 +1,78 @@
|
|||||||
|
# ---> Ansible
|
||||||
|
*.retry
|
||||||
|
|
||||||
|
# ---> Windows
|
||||||
|
# Windows thumbnail cache files
|
||||||
|
Thumbs.db
|
||||||
|
ehthumbs.db
|
||||||
|
ehthumbs_vista.db
|
||||||
|
|
||||||
|
# Dump file
|
||||||
|
*.stackdump
|
||||||
|
|
||||||
|
# Folder config file
|
||||||
|
[Dd]esktop.ini
|
||||||
|
|
||||||
|
# Recycle Bin used on file shares
|
||||||
|
$RECYCLE.BIN/
|
||||||
|
|
||||||
|
# Windows Installer files
|
||||||
|
*.cab
|
||||||
|
*.msi
|
||||||
|
*.msix
|
||||||
|
*.msm
|
||||||
|
*.msp
|
||||||
|
|
||||||
|
# Windows shortcuts
|
||||||
|
*.lnk
|
||||||
|
|
||||||
|
# ---> macOS
|
||||||
|
# General
|
||||||
|
.DS_Store
|
||||||
|
.AppleDouble
|
||||||
|
.LSOverride
|
||||||
|
|
||||||
|
# Icon must end with two \r
|
||||||
|
Icon
|
||||||
|
|
||||||
|
|
||||||
|
# Thumbnails
|
||||||
|
._*
|
||||||
|
|
||||||
|
# Files that might appear in the root of a volume
|
||||||
|
.DocumentRevisions-V100
|
||||||
|
.fseventsd
|
||||||
|
.Spotlight-V100
|
||||||
|
.TemporaryItems
|
||||||
|
.Trashes
|
||||||
|
.VolumeIcon.icns
|
||||||
|
.com.apple.timemachine.donotpresent
|
||||||
|
|
||||||
|
# Directories potentially created on remote AFP share
|
||||||
|
.AppleDB
|
||||||
|
.AppleDesktop
|
||||||
|
Network Trash Folder
|
||||||
|
Temporary Items
|
||||||
|
.apdisk
|
||||||
|
|
||||||
|
# ---> Linux
|
||||||
|
*~
|
||||||
|
|
||||||
|
# temporary files which can be created if a process still has a handle open of a deleted file
|
||||||
|
.fuse_hidden*
|
||||||
|
|
||||||
|
# KDE directory preferences
|
||||||
|
.directory
|
||||||
|
|
||||||
|
# Linux trash folder which might appear on any partition or disk
|
||||||
|
.Trash-*
|
||||||
|
|
||||||
|
# .nfs files are created when an open file is removed but is still being accessed
|
||||||
|
.nfs*
|
||||||
|
|
||||||
|
# ---> VisualStudioCode
|
||||||
|
.vscode/*
|
||||||
|
!.vscode/settings.json
|
||||||
|
!.vscode/tasks.json
|
||||||
|
!.vscode/launch.json
|
||||||
|
!.vscode/extensions.json
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
language: python
|
||||||
|
python: "2.7"
|
||||||
|
|
||||||
|
# Use the new container infrastructure
|
||||||
|
sudo: false
|
||||||
|
|
||||||
|
# Install ansible
|
||||||
|
addons:
|
||||||
|
apt:
|
||||||
|
packages:
|
||||||
|
- python-pip
|
||||||
|
|
||||||
|
install:
|
||||||
|
# Install ansible
|
||||||
|
- pip install ansible
|
||||||
|
|
||||||
|
# Check ansible version
|
||||||
|
- ansible --version
|
||||||
|
|
||||||
|
# Create ansible.cfg with correct roles_path
|
||||||
|
- printf '[defaults]\nroles_path=../' >ansible.cfg
|
||||||
|
|
||||||
|
script:
|
||||||
|
# Basic role syntax check
|
||||||
|
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
|
||||||
|
|
||||||
|
notifications:
|
||||||
|
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
||||||
@@ -0,0 +1,163 @@
|
|||||||
|
GNU LESSER GENERAL PUBLIC LICENSE
|
||||||
|
|
||||||
|
Version 3, 29 June 2007
|
||||||
|
|
||||||
|
Copyright (C) 2007 Free Software Foundation, Inc. <http s ://fsf.org/>
|
||||||
|
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies of this license
|
||||||
|
document, but changing it is not allowed.
|
||||||
|
|
||||||
|
This version of the GNU Lesser General Public License incorporates the terms
|
||||||
|
and conditions of version 3 of the GNU General Public License, supplemented
|
||||||
|
by the additional permissions listed below.
|
||||||
|
|
||||||
|
0. Additional Definitions.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
As used herein, "this License" refers to version 3 of the GNU Lesser General
|
||||||
|
Public License, and the "GNU GPL" refers to version 3 of the GNU General Public
|
||||||
|
License.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
"The Library" refers to a covered work governed by this License, other than
|
||||||
|
an Application or a Combined Work as defined below.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
An "Application" is any work that makes use of an interface provided by the
|
||||||
|
Library, but which is not otherwise based on the Library. Defining a subclass
|
||||||
|
of a class defined by the Library is deemed a mode of using an interface provided
|
||||||
|
by the Library.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
A "Combined Work" is a work produced by combining or linking an Application
|
||||||
|
with the Library. The particular version of the Library with which the Combined
|
||||||
|
Work was made is also called the "Linked Version".
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
The "Minimal Corresponding Source" for a Combined Work means the Corresponding
|
||||||
|
Source for the Combined Work, excluding any source code for portions of the
|
||||||
|
Combined Work that, considered in isolation, are based on the Application,
|
||||||
|
and not on the Linked Version.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
The "Corresponding Application Code" for a Combined Work means the object
|
||||||
|
code and/or source code for the Application, including any data and utility
|
||||||
|
programs needed for reproducing the Combined Work from the Application, but
|
||||||
|
excluding the System Libraries of the Combined Work.
|
||||||
|
|
||||||
|
1. Exception to Section 3 of the GNU GPL.
|
||||||
|
|
||||||
|
You may convey a covered work under sections 3 and 4 of this License without
|
||||||
|
being bound by section 3 of the GNU GPL.
|
||||||
|
|
||||||
|
2. Conveying Modified Versions.
|
||||||
|
|
||||||
|
If you modify a copy of the Library, and, in your modifications, a facility
|
||||||
|
refers to a function or data to be supplied by an Application that uses the
|
||||||
|
facility (other than as an argument passed when the facility is invoked),
|
||||||
|
then you may convey a copy of the modified version:
|
||||||
|
|
||||||
|
a) under this License, provided that you make a good faith effort to ensure
|
||||||
|
that, in the event an Application does not supply the function or data, the
|
||||||
|
facility still operates, and performs whatever part of its purpose remains
|
||||||
|
meaningful, or
|
||||||
|
|
||||||
|
b) under the GNU GPL, with none of the additional permissions of this License
|
||||||
|
applicable to that copy.
|
||||||
|
|
||||||
|
3. Object Code Incorporating Material from Library Header Files.
|
||||||
|
|
||||||
|
The object code form of an Application may incorporate material from a header
|
||||||
|
file that is part of the Library. You may convey such object code under terms
|
||||||
|
of your choice, provided that, if the incorporated material is not limited
|
||||||
|
to numerical parameters, data structure layouts and accessors, or small macros,
|
||||||
|
inline functions and templates (ten or fewer lines in length), you do both
|
||||||
|
of the following:
|
||||||
|
|
||||||
|
a) Give prominent notice with each copy of the object code that the Library
|
||||||
|
is used in it and that the Library and its use are covered by this License.
|
||||||
|
|
||||||
|
b) Accompany the object code with a copy of the GNU GPL and this license document.
|
||||||
|
|
||||||
|
4. Combined Works.
|
||||||
|
|
||||||
|
You may convey a Combined Work under terms of your choice that, taken together,
|
||||||
|
effectively do not restrict modification of the portions of the Library contained
|
||||||
|
in the Combined Work and reverse engineering for debugging such modifications,
|
||||||
|
if you also do each of the following:
|
||||||
|
|
||||||
|
a) Give prominent notice with each copy of the Combined Work that the Library
|
||||||
|
is used in it and that the Library and its use are covered by this License.
|
||||||
|
|
||||||
|
b) Accompany the Combined Work with a copy of the GNU GPL and this license
|
||||||
|
document.
|
||||||
|
|
||||||
|
c) For a Combined Work that displays copyright notices during execution, include
|
||||||
|
the copyright notice for the Library among these notices, as well as a reference
|
||||||
|
directing the user to the copies of the GNU GPL and this license document.
|
||||||
|
|
||||||
|
d) Do one of the following:
|
||||||
|
|
||||||
|
0) Convey the Minimal Corresponding Source under the terms of this License,
|
||||||
|
and the Corresponding Application Code in a form suitable for, and under terms
|
||||||
|
that permit, the user to recombine or relink the Application with a modified
|
||||||
|
version of the Linked Version to produce a modified Combined Work, in the
|
||||||
|
manner specified by section 6 of the GNU GPL for conveying Corresponding Source.
|
||||||
|
|
||||||
|
1) Use a suitable shared library mechanism for linking with the Library. A
|
||||||
|
suitable mechanism is one that (a) uses at run time a copy of the Library
|
||||||
|
already present on the user's computer system, and (b) will operate properly
|
||||||
|
with a modified version of the Library that is interface-compatible with the
|
||||||
|
Linked Version.
|
||||||
|
|
||||||
|
e) Provide Installation Information, but only if you would otherwise be required
|
||||||
|
to provide such information under section 6 of the GNU GPL, and only to the
|
||||||
|
extent that such information is necessary to install and execute a modified
|
||||||
|
version of the Combined Work produced by recombining or relinking the Application
|
||||||
|
with a modified version of the Linked Version. (If you use option 4d0, the
|
||||||
|
Installation Information must accompany the Minimal Corresponding Source and
|
||||||
|
Corresponding Application Code. If you use option 4d1, you must provide the
|
||||||
|
Installation Information in the manner specified by section 6 of the GNU GPL
|
||||||
|
for conveying Corresponding Source.)
|
||||||
|
|
||||||
|
5. Combined Libraries.
|
||||||
|
|
||||||
|
You may place library facilities that are a work based on the Library side
|
||||||
|
by side in a single library together with other library facilities that are
|
||||||
|
not Applications and are not covered by this License, and convey such a combined
|
||||||
|
library under terms of your choice, if you do both of the following:
|
||||||
|
|
||||||
|
a) Accompany the combined library with a copy of the same work based on the
|
||||||
|
Library, uncombined with any other library facilities, conveyed under the
|
||||||
|
terms of this License.
|
||||||
|
|
||||||
|
b) Give prominent notice with the combined library that part of it is a work
|
||||||
|
based on the Library, and explaining where to find the accompanying uncombined
|
||||||
|
form of the same work.
|
||||||
|
|
||||||
|
6. Revised Versions of the GNU Lesser General Public License.
|
||||||
|
|
||||||
|
The Free Software Foundation may publish revised and/or new versions of the
|
||||||
|
GNU Lesser General Public License from time to time. Such new versions will
|
||||||
|
be similar in spirit to the present version, but may differ in detail to address
|
||||||
|
new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the Library as you
|
||||||
|
received it specifies that a certain numbered version of the GNU Lesser General
|
||||||
|
Public License "or any later version" applies to it, you have the option of
|
||||||
|
following the terms and conditions either of that published version or of
|
||||||
|
any later version published by the Free Software Foundation. If the Library
|
||||||
|
as you received it does not specify a version number of the GNU Lesser General
|
||||||
|
Public License, you may choose any version of the GNU Lesser General Public
|
||||||
|
License ever published by the Free Software Foundation.
|
||||||
|
|
||||||
|
If the Library as you received it specifies that a proxy can decide whether
|
||||||
|
future versions of the GNU Lesser General Public License shall apply, that
|
||||||
|
proxy's public statement of acceptance of any version is permanent authorization
|
||||||
|
for you to choose that version for the Library.
|
||||||
@@ -0,0 +1,38 @@
|
|||||||
|
Role Name
|
||||||
|
=========
|
||||||
|
|
||||||
|
A brief description of the role goes here.
|
||||||
|
|
||||||
|
Requirements
|
||||||
|
------------
|
||||||
|
|
||||||
|
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
|
||||||
|
|
||||||
|
Role Variables
|
||||||
|
--------------
|
||||||
|
|
||||||
|
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
------------
|
||||||
|
|
||||||
|
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
|
||||||
|
|
||||||
|
Example Playbook
|
||||||
|
----------------
|
||||||
|
|
||||||
|
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
||||||
|
|
||||||
|
- hosts: servers
|
||||||
|
roles:
|
||||||
|
- { role: username.rolename, x: 42 }
|
||||||
|
|
||||||
|
License
|
||||||
|
-------
|
||||||
|
|
||||||
|
BSD
|
||||||
|
|
||||||
|
Author Information
|
||||||
|
------------------
|
||||||
|
|
||||||
|
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
# defaults file for ensure_sudo
|
||||||
|
sudo_log_retention: '90d'
|
||||||
|
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
# handlers file for ensure_sudo
|
||||||
|
- name: 'ensure_sudo.package_facts'
|
||||||
|
ansible.builtin.package_facts:
|
||||||
|
- name: 'ensure_sudo.service_facts'
|
||||||
|
ansible.builtin.service_facts:
|
||||||
|
- name: 'ensure_sudo.service_reload'
|
||||||
|
when:
|
||||||
|
- ansible_facts["system"] == 'Linux'
|
||||||
|
- ansible_facts["service_mgr"] == 'systemd'
|
||||||
|
- ensure_sudo is defined
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: 'yes'
|
||||||
|
- name: 'ensure_sudo.service_restart'
|
||||||
|
when:
|
||||||
|
- ansible_facts["system"] == 'Linux'
|
||||||
|
- ensure_sudo is defined
|
||||||
|
- ensure_sudo.service_list is defined
|
||||||
|
- ensure_sudo.service_list is iterable
|
||||||
|
- item.state == 'started'
|
||||||
|
ansible.builtin.service:
|
||||||
|
enabled: '{{ item.enabled }}'
|
||||||
|
name: '{{ item.name }}'
|
||||||
|
state: 'restarted'
|
||||||
|
loop: '{{ ensure_sudo.service_list }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.name }} will be restarted'
|
||||||
|
...
|
||||||
|
|
||||||
@@ -0,0 +1,53 @@
|
|||||||
|
galaxy_info:
|
||||||
|
author: Jason Rothstein
|
||||||
|
description: Ensure sudo configuration
|
||||||
|
company: your company (optional)
|
||||||
|
|
||||||
|
# If the issue tracker for your role is not on github, uncomment the
|
||||||
|
# next line and provide a value
|
||||||
|
# issue_tracker_url: http://example.com/issue/tracker
|
||||||
|
|
||||||
|
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
||||||
|
# - BSD-3-Clause (default)
|
||||||
|
# - MIT
|
||||||
|
# - GPL-2.0-or-later
|
||||||
|
# - GPL-3.0-only
|
||||||
|
# - Apache-2.0
|
||||||
|
# - CC-BY-4.0
|
||||||
|
license: LGPL-3.0-or-later
|
||||||
|
|
||||||
|
min_ansible_version: 2.9
|
||||||
|
|
||||||
|
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||||
|
# min_ansible_container_version:
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||||
|
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||||
|
# To view available platforms and versions (or releases), visit:
|
||||||
|
# https://galaxy.ansible.com/api/v1/platforms/
|
||||||
|
#
|
||||||
|
# platforms:
|
||||||
|
# - name: Fedora
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 25
|
||||||
|
# - name: SomePlatform
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 1.0
|
||||||
|
# - 7
|
||||||
|
# - 99.99
|
||||||
|
|
||||||
|
galaxy_tags: []
|
||||||
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
#
|
||||||
|
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||||
|
# Maximum 20 tags per role.
|
||||||
|
|
||||||
|
dependencies: []
|
||||||
|
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||||
|
# if you add dependencies to this list.
|
||||||
|
|
||||||
@@ -0,0 +1,118 @@
|
|||||||
|
---
|
||||||
|
# tasks file for ensure_sudo
|
||||||
|
- name: 'include vendor / version specific variables'
|
||||||
|
when:
|
||||||
|
- ansible_facts["system"] == 'Linux'
|
||||||
|
include_vars:
|
||||||
|
file: '{{ lookup("first_found", findme ) }}'
|
||||||
|
name: 'ensure_sudo'
|
||||||
|
vars:
|
||||||
|
findme:
|
||||||
|
files:
|
||||||
|
- '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml'
|
||||||
|
- '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml'
|
||||||
|
- '{{ ansible_facts["distribution"] }}-default.yml'
|
||||||
|
- '{{ ansible_facts["os_family"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml'
|
||||||
|
- '{{ ansible_facts["os_family"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml'
|
||||||
|
- '{{ ansible_facts["os_family"] }}-default.yml'
|
||||||
|
- 'default.yml'
|
||||||
|
paths:
|
||||||
|
- '../vars/'
|
||||||
|
errors: 'ignore'
|
||||||
|
- name: 'package discovery'
|
||||||
|
when:
|
||||||
|
- ansible_facts["system"] == 'Linux'
|
||||||
|
- ansible_facts["packages"] is not defined
|
||||||
|
ansible.builtin.package_facts:
|
||||||
|
- name: 'service discovery'
|
||||||
|
when:
|
||||||
|
- ansible_facts["system"] == 'Linux'
|
||||||
|
- ansible_facts["services"] is not defined
|
||||||
|
ansible.builtin.service_facts:
|
||||||
|
- name: 'ensure packages'
|
||||||
|
when:
|
||||||
|
- ansible_facts["system"] == 'Linux'
|
||||||
|
- ensure_sudo is defined
|
||||||
|
- ensure_sudo.package_list is defined
|
||||||
|
- ensure_sudo.package_list is iterable
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: '{{ item.name }}'
|
||||||
|
state: '{{ item.state }}'
|
||||||
|
loop: '{{ ensure_sudo.package_list }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.name }} will be {{ item.state }}'
|
||||||
|
notify:
|
||||||
|
- 'ensure_sudo.package_facts'
|
||||||
|
- 'ensure_sudo.service_facts'
|
||||||
|
- name: 'ensure configurations'
|
||||||
|
when:
|
||||||
|
- ansible_facts["system"] == 'Linux'
|
||||||
|
- ensure_sudo is defined
|
||||||
|
- ensure_sudo.template_list is defined
|
||||||
|
- ensure_sudo.template_list is iterable
|
||||||
|
ansible.builtin.template:
|
||||||
|
backup: 'no'
|
||||||
|
dest: '{{ item.dest }}'
|
||||||
|
group: '{{ item.group | default(omit) }}'
|
||||||
|
mode: '{{ item.mode | default(omit) }}'
|
||||||
|
owner: '{{ item.owner | default(omit) }}'
|
||||||
|
selevel: '{{ iteml.selevel | default(omit) }}'
|
||||||
|
serole: '{{ item.serole | default(omit) }}'
|
||||||
|
setype: '{{ item.setype | default(omit) }}'
|
||||||
|
seuser: '{{ item.seuser | default(omit) }}'
|
||||||
|
src: '{{ item.src }}'
|
||||||
|
loop: '{{ ensure_sudo.template_list }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.dest }} will be ensured'
|
||||||
|
notify:
|
||||||
|
- 'ensure_sudo.package_facts'
|
||||||
|
- 'ensure_sudo.service_facts'
|
||||||
|
- 'ensure_sudo.service_reload'
|
||||||
|
- 'ensure_sudo.service_restart'
|
||||||
|
- name: 'ensure services'
|
||||||
|
when:
|
||||||
|
- ansible_facts["system"] == 'Linux'
|
||||||
|
- ensure_sudo is defined
|
||||||
|
- ensure_sudo.service_list is defined
|
||||||
|
- ensure_sudo.service_list is iterable
|
||||||
|
ansible.builtin.service:
|
||||||
|
enabled: '{{ item.enabled }}'
|
||||||
|
name: '{{ item.name }}'
|
||||||
|
state: '{{ item.state }}'
|
||||||
|
loop: '{{ ensure_sudo.service_list }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.name }} will be {{ item.state }}'
|
||||||
|
notify:
|
||||||
|
- 'ensure_sudo.package_facts'
|
||||||
|
- 'ensure_sudo.service_facts'
|
||||||
|
- name: 'find directories over log retention window under /var/log/sudo-io'
|
||||||
|
when:
|
||||||
|
- ansible_facts["system"] == 'Linux'
|
||||||
|
- ensure_sudo is defined
|
||||||
|
- sudo_log_retention is defined
|
||||||
|
- sudo_log_retention is regex('^[0-9]*[smhdw]$')
|
||||||
|
ansible.builtin.find:
|
||||||
|
age: '{{ sudo_log_retention }}'
|
||||||
|
file_type: 'directory'
|
||||||
|
follow: 'no'
|
||||||
|
paths:
|
||||||
|
- '/var/log/sudo-io/'
|
||||||
|
recurse: 'yes'
|
||||||
|
register: 'results'
|
||||||
|
- name: 'And drop them'
|
||||||
|
when:
|
||||||
|
- ansible_facts["system"] == 'Linux'
|
||||||
|
- ensure_sudo is defined
|
||||||
|
- sudo_log_retention is defined
|
||||||
|
- sudo_log_retention is regex('^[0-9]*[smhdw]$')
|
||||||
|
- item.path is regex('^/var/log/sudo-io/([0-9]|[A-Z])([0-9]|[A-Z])/([0-9]|[A-Z])([0-9]|[A-Z])/([0-9]|[A-Z])([0-9]|[A-Z])$')
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: '{{ item.path }}'
|
||||||
|
state: 'absent'
|
||||||
|
loop: '{{ results.files }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.path }} to be removed'
|
||||||
|
- name: 'flush handlers'
|
||||||
|
meta: 'flush_handlers'
|
||||||
|
...
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,131 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo command interception:
|
||||||
|
# Path intercept /path/to/sudo_intercept.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions, which perform a policy
|
||||||
|
# check to verify whether the command is allowed and simply return
|
||||||
|
# an error if it is not. This is used to implement the "intercept"
|
||||||
|
# functionality on systems that support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_intercept.so file.
|
||||||
|
#
|
||||||
|
#Path intercept /usr/libexec/sudo/sudo_intercept.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully-qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,124 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo developer mode:
|
||||||
|
# Set developer_mode true|false
|
||||||
|
#
|
||||||
|
# Allow loading of plugins that are owned by non-root or are writable
|
||||||
|
# by "group" or "other". Should only be used during plugin development.
|
||||||
|
#Set developer_mode true
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,124 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo developer mode:
|
||||||
|
# Set developer_mode true|false
|
||||||
|
#
|
||||||
|
# Allow loading of plugins that are owned by non-root or are writable
|
||||||
|
# by "group" or "other". Should only be used during plugin development.
|
||||||
|
#Set developer_mode true
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,131 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo command interception:
|
||||||
|
# Path intercept /path/to/sudo_intercept.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions, which perform a policy
|
||||||
|
# check to verify whether the command is allowed and simply return
|
||||||
|
# an error if it is not. This is used to implement the "intercept"
|
||||||
|
# functionality on systems that support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_intercept.so file.
|
||||||
|
#
|
||||||
|
#Path intercept /usr/libexec/sudo/sudo_intercept.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully-qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,124 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo developer mode:
|
||||||
|
# Set developer_mode true|false
|
||||||
|
#
|
||||||
|
# Allow loading of plugins that are owned by non-root or are writable
|
||||||
|
# by "group" or "other". Should only be used during plugin development.
|
||||||
|
#Set developer_mode true
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,124 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo developer mode:
|
||||||
|
# Set developer_mode true|false
|
||||||
|
#
|
||||||
|
# Allow loading of plugins that are owned by non-root or are writable
|
||||||
|
# by "group" or "other". Should only be used during plugin development.
|
||||||
|
#Set developer_mode true
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session optional pam_keyinit.so revoke
|
||||||
|
session required pam_limits.so
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,131 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
#Plugin sudoers_policy sudoers.so
|
||||||
|
#Plugin sudoers_io sudoers.so
|
||||||
|
#Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo command interception:
|
||||||
|
# Path intercept /path/to/sudo_intercept.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions, which perform a policy
|
||||||
|
# check to verify whether the command is allowed and simply return
|
||||||
|
# an error if it is not. This is used to implement the "intercept"
|
||||||
|
# functionality on systems that support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_intercept.so file.
|
||||||
|
#
|
||||||
|
#Path intercept disabled
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully-qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
#Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session optional pam_keyinit.so revoke
|
||||||
|
session required pam_limits.so
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,131 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
#Plugin sudoers_policy sudoers.so
|
||||||
|
#Plugin sudoers_io sudoers.so
|
||||||
|
#Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo command interception:
|
||||||
|
# Path intercept /path/to/sudo_intercept.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions, which perform a policy
|
||||||
|
# check to verify whether the command is allowed and simply return
|
||||||
|
# an error if it is not. This is used to implement the "intercept"
|
||||||
|
# functionality on systems that support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_intercept.so file.
|
||||||
|
#
|
||||||
|
#Path intercept disabled
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully-qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
#Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session optional pam_keyinit.so revoke
|
||||||
|
session required pam_limits.so
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,131 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
#Plugin sudoers_policy sudoers.so
|
||||||
|
#Plugin sudoers_io sudoers.so
|
||||||
|
#Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo command interception:
|
||||||
|
# Path intercept /path/to/sudo_intercept.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions, which perform a policy
|
||||||
|
# check to verify whether the command is allowed and simply return
|
||||||
|
# an error if it is not. This is used to implement the "intercept"
|
||||||
|
# functionality on systems that support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_intercept.so file.
|
||||||
|
#
|
||||||
|
#Path intercept disabled
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully-qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
#Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,124 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo developer mode:
|
||||||
|
# Set developer_mode true|false
|
||||||
|
#
|
||||||
|
# Allow loading of plugins that are owned by non-root or are writable
|
||||||
|
# by "group" or "other". Should only be used during plugin development.
|
||||||
|
#Set developer_mode true
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,131 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo command interception:
|
||||||
|
# Path intercept /path/to/sudo_intercept.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions, which perform a policy
|
||||||
|
# check to verify whether the command is allowed and simply return
|
||||||
|
# an error if it is not. This is used to implement the "intercept"
|
||||||
|
# functionality on systems that support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_intercept.so file.
|
||||||
|
#
|
||||||
|
#Path intercept /usr/libexec/sudo/sudo_intercept.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully-qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay, or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace, or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,124 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo developer mode:
|
||||||
|
# Set developer_mode true|false
|
||||||
|
#
|
||||||
|
# Allow loading of plugins that are owned by non-root or are writable
|
||||||
|
# by "group" or "other". Should only be used during plugin development.
|
||||||
|
#Set developer_mode true
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,124 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo developer mode:
|
||||||
|
# Set developer_mode true|false
|
||||||
|
#
|
||||||
|
# Allow loading of plugins that are owned by non-root or are writable
|
||||||
|
# by "group" or "other". Should only be used during plugin development.
|
||||||
|
#Set developer_mode true
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,124 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo developer mode:
|
||||||
|
# Set developer_mode true|false
|
||||||
|
#
|
||||||
|
# Allow loading of plugins that are owned by non-root or are writable
|
||||||
|
# by "group" or "other". Should only be used during plugin development.
|
||||||
|
#Set developer_mode true
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include sudo
|
||||||
|
account include sudo
|
||||||
|
password include sudo
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include sudo
|
||||||
@@ -0,0 +1,124 @@
|
|||||||
|
#
|
||||||
|
# Default /etc/sudo.conf file
|
||||||
|
#
|
||||||
|
# Sudo plugins:
|
||||||
|
# Plugin plugin_name plugin_path plugin_options ...
|
||||||
|
#
|
||||||
|
# The plugin_path is relative to /usr/libexec/sudo unless
|
||||||
|
# fully qualified.
|
||||||
|
# The plugin_name corresponds to a global symbol in the plugin
|
||||||
|
# that contains the plugin interface structure.
|
||||||
|
# The plugin_options are optional.
|
||||||
|
#
|
||||||
|
# The sudoers plugin is used by default if no Plugin lines are present.
|
||||||
|
Plugin sudoers_policy sudoers.so
|
||||||
|
Plugin sudoers_io sudoers.so
|
||||||
|
Plugin sudoers_audit sudoers.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo askpass:
|
||||||
|
# Path askpass /path/to/askpass
|
||||||
|
#
|
||||||
|
# An askpass helper program may be specified to provide a graphical
|
||||||
|
# password prompt for "sudo -A" support. Sudo does not ship with its
|
||||||
|
# own askpass program but can use the OpenSSH askpass.
|
||||||
|
#
|
||||||
|
# Use the OpenSSH askpass
|
||||||
|
#Path askpass /usr/X11R6/bin/ssh-askpass
|
||||||
|
#
|
||||||
|
# Use the Gnome OpenSSH askpass
|
||||||
|
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo device search path:
|
||||||
|
# Path devsearch /dev/path1:/dev/path2:/dev
|
||||||
|
#
|
||||||
|
# A colon-separated list of paths to check when searching for a user's
|
||||||
|
# terminal device.
|
||||||
|
#
|
||||||
|
#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo noexec:
|
||||||
|
# Path noexec /path/to/sudo_noexec.so
|
||||||
|
#
|
||||||
|
# Path to a shared library containing replacements for the execv(),
|
||||||
|
# execve() and fexecve() library functions that just return an error.
|
||||||
|
# This is used to implement the "noexec" functionality on systems that
|
||||||
|
# support LD_PRELOAD or its equivalent.
|
||||||
|
#
|
||||||
|
# The compiled-in value is usually sufficient and should only be changed
|
||||||
|
# if you rename or move the sudo_noexec.so file.
|
||||||
|
#
|
||||||
|
#Path noexec /usr/libexec/sudo/sudo_noexec.so
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo plugin directory:
|
||||||
|
# Path plugin_dir /path/to/plugins
|
||||||
|
#
|
||||||
|
# The default directory to use when searching for plugins that are
|
||||||
|
# specified without a fully qualified path name.
|
||||||
|
#
|
||||||
|
#Path plugin_dir /usr/libexec/sudo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo developer mode:
|
||||||
|
# Set developer_mode true|false
|
||||||
|
#
|
||||||
|
# Allow loading of plugins that are owned by non-root or are writable
|
||||||
|
# by "group" or "other". Should only be used during plugin development.
|
||||||
|
#Set developer_mode true
|
||||||
|
|
||||||
|
#
|
||||||
|
# Core dumps:
|
||||||
|
# Set disable_coredump true|false
|
||||||
|
#
|
||||||
|
# By default, sudo disables core dumps while it is executing (they
|
||||||
|
# are re-enabled for the command that is run).
|
||||||
|
# To aid in debugging sudo problems, you may wish to enable core
|
||||||
|
# dumps by setting "disable_coredump" to false.
|
||||||
|
#
|
||||||
|
Set disable_coredump false
|
||||||
|
|
||||||
|
#
|
||||||
|
# User groups:
|
||||||
|
# Set group_source static|dynamic|adaptive
|
||||||
|
#
|
||||||
|
# Sudo passes the user's group list to the policy plugin.
|
||||||
|
# If the user is a member of the maximum number of groups (usually 16),
|
||||||
|
# sudo will query the group database directly to be sure to include
|
||||||
|
# the full list of groups.
|
||||||
|
#
|
||||||
|
# On some systems, this can be expensive so the behavior is configurable.
|
||||||
|
# The "group_source" setting has three possible values:
|
||||||
|
# static - use the user's list of groups returned by the kernel.
|
||||||
|
# dynamic - query the group database to find the list of groups.
|
||||||
|
# adaptive - if user is in less than the maximum number of groups.
|
||||||
|
# use the kernel list, else query the group database.
|
||||||
|
#
|
||||||
|
#Set group_source static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo interface probing:
|
||||||
|
# Set probe_interfaces true|false
|
||||||
|
#
|
||||||
|
# By default, sudo will probe the system's network interfaces and
|
||||||
|
# pass the IP address of each enabled interface to the policy plugin.
|
||||||
|
# On systems with a large number of virtual interfaces this may take
|
||||||
|
# a noticeable amount of time.
|
||||||
|
#
|
||||||
|
#Set probe_interfaces false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sudo debug files:
|
||||||
|
# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
|
||||||
|
#
|
||||||
|
# Sudo and related programs support logging debug information to a file.
|
||||||
|
# The program is typically sudo, sudoers.so, sudoreplay or visudo.
|
||||||
|
#
|
||||||
|
# Subsystems vary based on the program; "all" matches all subsystems.
|
||||||
|
# Priority may be crit, err, warn, notice, diag, info, trace or debug.
|
||||||
|
# Multiple subsystem@priority may be specified, separated by a comma.
|
||||||
|
#
|
||||||
|
#Debug sudo /var/log/sudo_debug all@debug
|
||||||
|
#Debug sudoers.so /var/log/sudoers_debug all@debug
|
||||||
@@ -0,0 +1,120 @@
|
|||||||
|
## Sudoers allows particular users to run various commands as
|
||||||
|
## the root user, without needing the root password.
|
||||||
|
##
|
||||||
|
## Examples are provided at the bottom of the file for collections
|
||||||
|
## of related commands, which can then be delegated out to particular
|
||||||
|
## users or groups.
|
||||||
|
##
|
||||||
|
## This file must be edited with the 'visudo' command.
|
||||||
|
|
||||||
|
## Host Aliases
|
||||||
|
## Groups of machines. You may prefer to use hostnames (perhaps using
|
||||||
|
## wildcards for entire domains) or IP addresses instead.
|
||||||
|
# Host_Alias FILESERVERS = fs1, fs2
|
||||||
|
# Host_Alias MAILSERVERS = smtp, smtp2
|
||||||
|
|
||||||
|
## User Aliases
|
||||||
|
## These aren't often necessary, as you can use regular groups
|
||||||
|
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
|
||||||
|
## rather than USERALIAS
|
||||||
|
# User_Alias ADMINS = jsmith, mikem
|
||||||
|
|
||||||
|
|
||||||
|
## Command Aliases
|
||||||
|
## These are groups of related commands...
|
||||||
|
|
||||||
|
## Networking
|
||||||
|
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
|
||||||
|
|
||||||
|
## Installation and management of software
|
||||||
|
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
|
||||||
|
|
||||||
|
## Services
|
||||||
|
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
|
||||||
|
|
||||||
|
## Updating the locate database
|
||||||
|
# Cmnd_Alias LOCATE = /usr/bin/updatedb
|
||||||
|
|
||||||
|
## Storage
|
||||||
|
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
|
||||||
|
|
||||||
|
## Delegating permissions
|
||||||
|
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
|
||||||
|
|
||||||
|
## Processes
|
||||||
|
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
|
||||||
|
|
||||||
|
## Drivers
|
||||||
|
# Cmnd_Alias DRIVERS = /sbin/modprobe
|
||||||
|
|
||||||
|
# Defaults specification
|
||||||
|
|
||||||
|
#
|
||||||
|
# Refuse to run if unable to disable echo on the tty.
|
||||||
|
#
|
||||||
|
Defaults !visiblepw
|
||||||
|
|
||||||
|
#
|
||||||
|
# Preserving HOME has security implications since many programs
|
||||||
|
# use it when searching for configuration files. Note that HOME
|
||||||
|
# is already set when the the env_reset option is enabled, so
|
||||||
|
# this option is only effective for configurations where either
|
||||||
|
# env_reset is disabled or HOME is present in the env_keep list.
|
||||||
|
#
|
||||||
|
Defaults always_set_home
|
||||||
|
Defaults match_group_by_gid
|
||||||
|
|
||||||
|
# Prior to version 1.8.15, groups listed in sudoers that were not
|
||||||
|
# found in the system group database were passed to the group
|
||||||
|
# plugin, if any. Starting with 1.8.15, only groups of the form
|
||||||
|
# %:group are resolved via the group plugin by default.
|
||||||
|
# We enable always_query_group_plugin to restore old behavior.
|
||||||
|
# Disable this option for new behavior.
|
||||||
|
Defaults always_query_group_plugin
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
|
||||||
|
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
|
||||||
|
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
|
||||||
|
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
|
||||||
|
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adding HOME to env_keep may enable a user to run unrestricted
|
||||||
|
# commands via sudo.
|
||||||
|
#
|
||||||
|
# Defaults env_keep += "HOME"
|
||||||
|
|
||||||
|
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
## Next comes the main part: which users can run what software on
|
||||||
|
## which machines (the sudoers file can be shared between multiple
|
||||||
|
## systems).
|
||||||
|
## Syntax:
|
||||||
|
##
|
||||||
|
## user MACHINE=COMMANDS
|
||||||
|
##
|
||||||
|
## The COMMANDS section may have other options added to it.
|
||||||
|
##
|
||||||
|
## Allow root to run any commands anywhere
|
||||||
|
root ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Allows members of the 'sys' group to run networking, software,
|
||||||
|
## service management apps and more.
|
||||||
|
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
|
||||||
|
|
||||||
|
## Allows people in group wheel to run all commands
|
||||||
|
%wheel ALL=(ALL) ALL
|
||||||
|
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
## Allows members of the users group to mount and unmount the
|
||||||
|
## cdrom as root
|
||||||
|
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
|
||||||
|
|
||||||
|
## Allows members of the users group to shutdown this system
|
||||||
|
# %users localhost=/sbin/shutdown -h now
|
||||||
|
|
||||||
|
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
|
||||||
|
#includedir /etc/sudoers.d
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
Defaults log_input
|
||||||
|
Defaults log_output
|
||||||
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
sudo
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include system-auth
|
||||||
|
account include system-auth
|
||||||
|
password include system-auth
|
||||||
|
session include system-auth
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user