summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2014-03-30 20:46:31 -0400
committerJoey Hess2014-03-30 20:46:31 -0400
commit1c65b86f8302cd42152e26c9d4fd24285a8e70c0 (patch)
treedf3554173dcdf92baf9c7f9ff458f6a97ee4a62b
parenta920555ed1da6a8608781a80cbe0fdae6f075b03 (diff)
propellor spin
-rw-r--r--Makefile2
-rw-r--r--Propellor.hs6
-rw-r--r--Property/Sudo.hs31
3 files changed, 35 insertions, 4 deletions
diff --git a/Makefile b/Makefile
index 6571ffad..66f329e6 100644
--- a/Makefile
+++ b/Makefile
@@ -24,3 +24,5 @@ clean:
# hothasktags chokes on some template haskell etc, so ignore errors
tags:
find . | grep -v /.git/ | grep -v /tmp/ | grep -v /dist/ | grep -v /doc/ | egrep '\.hs$$' | xargs hothasktags > tags 2>/dev/null
+
+.PHONY: tags
diff --git a/Propellor.hs b/Propellor.hs
index 2b7f978e..6870ca56 100644
--- a/Propellor.hs
+++ b/Propellor.hs
@@ -3,6 +3,7 @@ import CmdLine
import qualified Property.File as File
import qualified Property.Apt as Apt
import qualified Property.Ssh as Ssh
+import qualified Property.Sudo as Sudo
import qualified Property.User as User
import qualified Property.Hostname as Hostname
import qualified Property.Reboot as Reboot
@@ -48,11 +49,8 @@ standardSystem suite = propertyList "standard system"
, check (Ssh.hasAuthorizedKeys "root") $
Ssh.passwordAuthentication False
, User.sshAccountFor "joey"
- , Apt.installed ["sudo"]
- -- nopasswd because no password is set up for joey.
- , "sudoer joey" ==>
- "/etc/sudoers" `File.containsLine` "joey ALL=(ALL:ALL) NOPASSWD:ALL"
, User.hasSomePassword "joey"
+ , Sudo.enabledFor "joey"
, GitHome.installedFor "joey"
, Apt.installed ["vim", "screen"]
-- I use postfix, or no MTA.
diff --git a/Property/Sudo.hs b/Property/Sudo.hs
new file mode 100644
index 00000000..175f453a
--- /dev/null
+++ b/Property/Sudo.hs
@@ -0,0 +1,31 @@
+module Property.Sudo where
+
+import Data.List
+
+import Common
+import Property.File
+import qualified Property.Apt as Apt
+import Property.User
+
+{- Allows a user to sudo. If the user has a password, sudo is configured
+ - to require it. If not, NOPASSWORD is enabled for the user. -}
+enabledFor :: UserName -> Property
+enabledFor user = Property desc go `requires` Apt.installed ["sudo"]
+ where
+ go = do
+ locked <- isLockedPassword user
+ ensureProperty $
+ fileProperty desc
+ (modify locked . filter (wanted locked))
+ "/etc/sudoers"
+ desc = user ++ " is sudoer"
+ sudobaseline = user ++ " ALL=(ALL:ALL)"
+ sudoline True = sudobaseline ++ " NOPASSWD:ALL"
+ sudoline False = sudobaseline
+ wanted locked l
+ | not (sudobaseline `isPrefixOf` l) = True
+ | "NOPASSWD" `isInfixOf` l = locked
+ | otherwise = True
+ modify locked ls
+ | sudoline locked `elem` ls = ls
+ | otherwise = ls ++ [sudoline locked]