Configure sudoers

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
Yohann D'ANELLO 2021-05-24 21:01:22 +02:00
parent 3fedc63db3
commit c0a466db6a
Signed by: ynerant
GPG Key ID: 3A75C55819C8CF85
6 changed files with 38 additions and 109 deletions

View File

@ -6,6 +6,10 @@
- import_playbook: ldap-client.yml
- import_playbook: home.yml
- hosts: debian
roles:
- sudo
- hosts: all
roles:
- cli-utils
@ -20,7 +24,7 @@
- hosts: perso
roles:
- sudo
# - sudo
- systemd
- pacman
- ntp-client-arch

View File

@ -1,13 +1,10 @@
---
- name: Deploy sudoers configuration files
- name: Configure sudoers
template:
src: '{{ item.src }}.j2'
dest: '/etc/{{ item.src }}'
owner: root
group: root
mode: '{{ item.mode }}'
with_items:
- { src: 'sudoers', mode: '0440' }
- { src: 'sudoers.lecture', mode: '0644' }
src: "{{ item }}.j2"
dest: "/etc/{{ item }}"
mode: 0440
loop:
- sudoers.d/custom_passprompt
- sudoers.d/group_privilege
- sudoers

View File

@ -0,0 +1,4 @@
{{ ansible_header | comment }}
# Change prompt
Defaults passprompt_override
Defaults passprompt="[sudo] mot de passe pour %p sur %h: "

View File

@ -0,0 +1,3 @@
{{ ansible_header | comment }}
# Group privilege specification
ADMINS ALL=(ALL:ALL) ALL

View File

@ -1,103 +1,27 @@
{{ ansible_header | comment }}
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
# Host alias specification
User_Alias USERS= %user
User_Alias ADMINS= %admin
##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias WEBSERVERS = www1, www2, www3
# User alias specification
##
## User alias specification
##
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias ADMINS = millert, dowdy, mikef
# Cmnd alias specification
##
## Cmnd alias specification
##
## Groups of commands. Often used to group related commands together.
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
# User privilege specification
root ALL=(ALL:ALL) ALL
##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file. Note that other programs use HOME to find
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods. Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
{% if 'virtu' in group_names %}
# Pour vérifier quels vms sont sur quels virtus
USERS ALL=(root:ALL) NOPASSWD:/usr/sbin/qm list
##
## Runas alias specification
##
{% endif %}
# See sudoers(5) for more information on "#include" directives:
##
## User privilege specification
##
root ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw # Ask for the password of the target user
# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
Defaults lecture=always
Defaults lecture_file=/etc/sudoers.lecture
# toilet -f future --rainbow 'BE NICE' > sudoers.lecture.j2
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

View File

@ -1,3 +0,0 @@
┏┓ ┏━╸ ┏┓╻╻┏━╸┏━╸
┣┻┓┣╸ ┃┗┫┃┃ ┣╸
┗━┛┗━╸ ╹ ╹╹┗━╸┗━╸