summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2017-07-17 12:42:31 -0400
committerJoey Hess2017-07-17 12:42:31 -0400
commitb6d650730be9369b89623f46cb773dcc880630cb (patch)
tree0fe40b365b3e9e99f7df2c180eb87dd00c068ca6
parentcb885b8a925fcaaec3e3685fc5cd4c369593afef (diff)
Propellor.Property.Sudo.enabledFor: Made revertable
(minor API change) This commit was sponsored by Henrik Riomar on Patreon.
-rw-r--r--debian/changelog4
-rw-r--r--propellor.cabal2
-rw-r--r--src/Propellor/Property/Sudo.hs24
3 files changed, 21 insertions, 9 deletions
diff --git a/debian/changelog b/debian/changelog
index 517151d8..d70018cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
-propellor (4.3.5) UNRELEASED; urgency=medium
+propellor (4.4.0) UNRELEASED; urgency=medium
* Propellor.Property.Timezone: New module, contributed by Sean Whitton.
+ * Propellor.Property.Sudo.enabledFor: Made revertable.
+ (minor API change)
-- Joey Hess <id@joeyh.name> Sun, 16 Jul 2017 12:07:15 -0400
diff --git a/propellor.cabal b/propellor.cabal
index 43a3ab5e..d4417578 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -1,5 +1,5 @@
Name: propellor
-Version: 4.3.4
+Version: 4.4.0
Cabal-Version: >= 1.20
License: BSD2
Maintainer: Joey Hess <id@joeyh.name>
diff --git a/src/Propellor/Property/Sudo.hs b/src/Propellor/Property/Sudo.hs
index 45ab8af2..1614801d 100644
--- a/src/Propellor/Property/Sudo.hs
+++ b/src/Propellor/Property/Sudo.hs
@@ -9,23 +9,33 @@ import Propellor.Property.User
-- | Allows a user to sudo. If the user has a password, sudo is configured
-- to require it. If not, NOPASSWORD is enabled for the user.
-enabledFor :: User -> Property DebianLike
-enabledFor user@(User u) = go `requires` Apt.installed ["sudo"]
+enabledFor :: User -> RevertableProperty DebianLike DebianLike
+enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] <!> cleanup
where
- go :: Property UnixLike
- go = property' desc $ \w -> do
+ setup :: Property UnixLike
+ setup = property' desc $ \w -> do
locked <- liftIO $ isLockedPassword user
ensureProperty w $
fileProperty desc
(modify locked . filter (wanted locked))
- "/etc/sudoers"
- desc = u ++ " is sudoer"
+ sudoers
+ where
+ desc = u ++ " is sudoer"
+
+ cleanup :: Property DebianLike
+ cleanup = tightenTargets $
+ fileProperty desc (filter notuserline) sudoers
+ where
+ desc = u ++ " is not sudoer"
+
+ sudoers = "/etc/sudoers"
sudobaseline = u ++ " ALL=(ALL:ALL)"
+ notuserline l = not (sudobaseline `isPrefixOf` l)
sudoline True = sudobaseline ++ " NOPASSWD:ALL"
sudoline False = sudobaseline ++ " ALL"
wanted locked l
-- TOOD: Full sudoers file format parse..
- | not (sudobaseline `isPrefixOf` l) = True
+ | notuserline l = True
| "NOPASSWD" `isInfixOf` l = locked
| otherwise = True
modify locked ls