From b8d07136d9ddfbe2f4e8338f307a5c038f6aaae2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= Date: Tue, 3 Nov 2020 13:41:48 +0000 Subject: [PATCH] sudo: properly allow wheel group to use sudo via visudo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Luís Ferreira --- roles/sudo/files/wheel_group | 1 - roles/sudo/tasks/main.yml | 25 +++++++++++++++---------- 2 files changed, 15 insertions(+), 11 deletions(-) delete mode 100644 roles/sudo/files/wheel_group diff --git a/roles/sudo/files/wheel_group b/roles/sudo/files/wheel_group deleted file mode 100644 index 7c7dbb8..0000000 --- a/roles/sudo/files/wheel_group +++ /dev/null @@ -1 +0,0 @@ -%wheel ALL=(ALL) ALL diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml index 355a4ad..f0ff94c 100644 --- a/roles/sudo/tasks/main.yml +++ b/roles/sudo/tasks/main.yml @@ -22,15 +22,20 @@ with_dict: '{{ users }}' when: '"admin" in item.value.groups' -- name: enable sudoers.d support +- name: allow wheel group to use sudo lineinfile: - path: /etc/sudoers - line: '#includedir /etc/sudoers.d' + dest: /etc/sudoers + state: present + regexp: '^%wheel ALL=\(ALL\) ALL' + insertafter: '^# %wheel ALL=\(ALL\) ALL' + line: '%wheel ALL=(ALL) ALL' + validate: 'visudo -cf %s' -- name: install sudo rule - copy: - src: wheel_group - dest: /etc/sudoers.d/wheel_group - mode: 0644 - owner: root - group: root +- name: secure path to protect against attacks + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"' + insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' + line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"' + validate: 'visudo -cf %s'