1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Ensure managed sudoers config files have 0440 permissions (#4814) (#4827)

* Ensure sudoers config files are created with 0440 permissions to appease visudo validation

* Remove change not required by the bugfix

* Add changelog fragment for 4814 sudoers file permissions

* Update changelogs/fragments/4814-sudoers-file-permissions.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Have less oct casting

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 2d1e58663c)

Co-authored-by: Jon Ellis <ellis.jp@gmail.com>
This commit is contained in:
patchback[bot] 2022-06-12 08:59:48 +02:00 committed by GitHub
parent a11b8fd517
commit 79d85cc83c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 24 additions and 1 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- sudoers - ensure sudoers config files are created with the permissions requested by sudoers (0440) (https://github.com/ansible-collections/community.general/pull/4814).

View file

@ -115,6 +115,8 @@ from ansible.module_utils.common.text.converters import to_native
class Sudoers(object): class Sudoers(object):
FILE_MODE = 0o440
def __init__(self, module): def __init__(self, module):
self.check_mode = module.check_mode self.check_mode = module.check_mode
self.name = module.params['name'] self.name = module.params['name']
@ -134,6 +136,8 @@ class Sudoers(object):
with open(self.file, 'w') as f: with open(self.file, 'w') as f:
f.write(self.content()) f.write(self.content())
os.chmod(self.file, self.FILE_MODE)
def delete(self): def delete(self):
if self.check_mode: if self.check_mode:
return return
@ -145,7 +149,12 @@ class Sudoers(object):
def matches(self): def matches(self):
with open(self.file, 'r') as f: with open(self.file, 'r') as f:
return f.read() == self.content() content_matches = f.read() == self.content()
current_mode = os.stat(self.file).st_mode & 0o777
mode_matches = current_mode == self.FILE_MODE
return content_matches and mode_matches
def content(self): def content(self):
if self.user: if self.user:

View file

@ -29,6 +29,11 @@
commands: /usr/local/bin/command commands: /usr/local/bin/command
register: rule_1 register: rule_1
- name: Stat my-sudo-rule-1 file
ansible.builtin.stat:
path: "{{ sudoers_path }}/my-sudo-rule-1"
register: rule_1_stat
- name: Grab contents of my-sudo-rule-1 - name: Grab contents of my-sudo-rule-1
ansible.builtin.slurp: ansible.builtin.slurp:
src: "{{ sudoers_path }}/my-sudo-rule-1" src: "{{ sudoers_path }}/my-sudo-rule-1"
@ -132,6 +137,13 @@
# Run assertions # Run assertions
- name: Check rule 1 file stat
ansible.builtin.assert:
that:
- rule_1_stat.stat.exists
- rule_1_stat.stat.isreg
- rule_1_stat.stat.mode == '0440'
- name: Check changed status - name: Check changed status
ansible.builtin.assert: ansible.builtin.assert:
that: that: