1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

[PR #7983/49bd9cbd backport][stable-8] Add noexec support to sudoers (#8012)

Add noexec support to sudoers (#7983)

* Add noexec support to sudoers

* Add changelog fragment #7983

* Fix yml formatting in fragment 7983

* Apply suggestions from code review

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 49bd9cbd3c)

Co-authored-by: adaniaud <adaniaud@users.noreply.github.com>
This commit is contained in:
patchback[bot] 2024-02-23 07:08:04 +00:00 committed by GitHub
parent c089260c88
commit a7a2631333
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 40 additions and 1 deletions

View file

@ -0,0 +1,2 @@
minor_changes:
- sudoers - add support for the ``NOEXEC`` tag in sudoers rules (https://github.com/ansible-collections/community.general/pull/7983).

View file

@ -45,6 +45,12 @@ options:
- The name of the sudoers rule.
- This will be used for the filename for the sudoers file managed by this rule.
type: str
noexec:
description:
- Whether a command is prevented to run further commands itself.
default: false
type: bool
version_added: 8.4.0
nopassword:
description:
- Whether a password will be required to run the sudo'd command.
@ -143,6 +149,15 @@ EXAMPLES = '''
user: alice
commands: /usr/local/bin/upload
setenv: true
- name: >-
Allow alice to sudo /usr/bin/less but prevent less from
running further commands itself
community.general.sudoers:
name: allow-alice-restricted-less
user: alice
commands: /usr/bin/less
noexec: true
'''
import os
@ -162,6 +177,7 @@ class Sudoers(object):
self.user = module.params['user']
self.group = module.params['group']
self.state = module.params['state']
self.noexec = module.params['noexec']
self.nopassword = module.params['nopassword']
self.setenv = module.params['setenv']
self.host = module.params['host']
@ -205,13 +221,15 @@ class Sudoers(object):
owner = '%{group}'.format(group=self.group)
commands_str = ', '.join(self.commands)
noexec_str = 'NOEXEC:' if self.noexec else ''
nopasswd_str = 'NOPASSWD:' if self.nopassword else ''
setenv_str = 'SETENV:' if self.setenv else ''
runas_str = '({runas})'.format(runas=self.runas) if self.runas is not None else ''
return "{owner} {host}={runas}{nopasswd}{setenv} {commands}\n".format(
return "{owner} {host}={runas}{noexec}{nopasswd}{setenv} {commands}\n".format(
owner=owner,
host=self.host,
runas=runas_str,
noexec=noexec_str,
nopasswd=nopasswd_str,
setenv=setenv_str,
commands=commands_str
@ -258,6 +276,10 @@ def main():
'name': {
'required': True,
},
'noexec': {
'type': 'bool',
'default': False,
},
'nopassword': {
'type': 'bool',
'default': True,

View file

@ -159,6 +159,20 @@
src: "{{ sudoers_path }}/my-sudo-rule-8"
register: rule_8_contents
- name: Create rule with noexec parameters
community.general.sudoers:
name: my-sudo-rule-9
state: present
user: alice
commands: /usr/local/bin/command
noexec: true
register: rule_9
- name: Grab contents of my-sudo-rule-9
ansible.builtin.slurp:
src: "{{ sudoers_path }}/my-sudo-rule-9"
register: rule_9_contents
- name: Revoke rule 1
community.general.sudoers:
name: my-sudo-rule-1
@ -257,6 +271,7 @@
- "rule_6_contents['content'] | b64decode == 'alice ALL=(bob)NOPASSWD: /usr/local/bin/command\n'"
- "rule_7_contents['content'] | b64decode == 'alice host-1=NOPASSWD: /usr/local/bin/command\n'"
- "rule_8_contents['content'] | b64decode == 'alice ALL=NOPASSWD:SETENV: /usr/local/bin/command\n'"
- "rule_9_contents['content'] | b64decode == 'alice ALL=NOEXEC:NOPASSWD: /usr/local/bin/command\n'"
- name: Check revocation stat
ansible.builtin.assert: