mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
* Ensure sudoers config files are created with 0440 permissions to appease visudo validation
* Remove change not required by the bugfix
* Add changelog fragment for 4814 sudoers file permissions
* Update changelogs/fragments/4814-sudoers-file-permissions.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Have less oct casting
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 2d1e58663c
)
Co-authored-by: Jon Ellis <ellis.jp@gmail.com>
This commit is contained in:
parent
a11b8fd517
commit
79d85cc83c
3 changed files with 24 additions and 1 deletions
2
changelogs/fragments/4814-sudoers-file-permissions.yml
Normal file
2
changelogs/fragments/4814-sudoers-file-permissions.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
bugfixes:
|
||||||
|
- sudoers - ensure sudoers config files are created with the permissions requested by sudoers (0440) (https://github.com/ansible-collections/community.general/pull/4814).
|
|
@ -115,6 +115,8 @@ from ansible.module_utils.common.text.converters import to_native
|
||||||
|
|
||||||
class Sudoers(object):
|
class Sudoers(object):
|
||||||
|
|
||||||
|
FILE_MODE = 0o440
|
||||||
|
|
||||||
def __init__(self, module):
|
def __init__(self, module):
|
||||||
self.check_mode = module.check_mode
|
self.check_mode = module.check_mode
|
||||||
self.name = module.params['name']
|
self.name = module.params['name']
|
||||||
|
@ -134,6 +136,8 @@ class Sudoers(object):
|
||||||
with open(self.file, 'w') as f:
|
with open(self.file, 'w') as f:
|
||||||
f.write(self.content())
|
f.write(self.content())
|
||||||
|
|
||||||
|
os.chmod(self.file, self.FILE_MODE)
|
||||||
|
|
||||||
def delete(self):
|
def delete(self):
|
||||||
if self.check_mode:
|
if self.check_mode:
|
||||||
return
|
return
|
||||||
|
@ -145,7 +149,12 @@ class Sudoers(object):
|
||||||
|
|
||||||
def matches(self):
|
def matches(self):
|
||||||
with open(self.file, 'r') as f:
|
with open(self.file, 'r') as f:
|
||||||
return f.read() == self.content()
|
content_matches = f.read() == self.content()
|
||||||
|
|
||||||
|
current_mode = os.stat(self.file).st_mode & 0o777
|
||||||
|
mode_matches = current_mode == self.FILE_MODE
|
||||||
|
|
||||||
|
return content_matches and mode_matches
|
||||||
|
|
||||||
def content(self):
|
def content(self):
|
||||||
if self.user:
|
if self.user:
|
||||||
|
|
|
@ -29,6 +29,11 @@
|
||||||
commands: /usr/local/bin/command
|
commands: /usr/local/bin/command
|
||||||
register: rule_1
|
register: rule_1
|
||||||
|
|
||||||
|
- name: Stat my-sudo-rule-1 file
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: "{{ sudoers_path }}/my-sudo-rule-1"
|
||||||
|
register: rule_1_stat
|
||||||
|
|
||||||
- name: Grab contents of my-sudo-rule-1
|
- name: Grab contents of my-sudo-rule-1
|
||||||
ansible.builtin.slurp:
|
ansible.builtin.slurp:
|
||||||
src: "{{ sudoers_path }}/my-sudo-rule-1"
|
src: "{{ sudoers_path }}/my-sudo-rule-1"
|
||||||
|
@ -132,6 +137,13 @@
|
||||||
|
|
||||||
# Run assertions
|
# Run assertions
|
||||||
|
|
||||||
|
- name: Check rule 1 file stat
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- rule_1_stat.stat.exists
|
||||||
|
- rule_1_stat.stat.isreg
|
||||||
|
- rule_1_stat.stat.mode == '0440'
|
||||||
|
|
||||||
- name: Check changed status
|
- name: Check changed status
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
|
|
Loading…
Reference in a new issue