summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJoey Hess2018-10-14 13:34:51 -0400
committerJoey Hess2018-10-14 13:34:51 -0400
commitbe447e4c9380055dd43b1cfbde0545f790cf5b27 (patch)
tree6f177b98c01d0b3dfc47fc07765a9b9cc29fabf7 /src
parentb23ca0e8aeb4839bc2b886b925dfeeacb1bfcb55 (diff)
make sure that /etc/sudoers includes sudoers.d
Otherwise there's the risk that propellor's change in how it sets up sudoers locks an admin out, because they had a modified sudoers file that never got upgraded to include sudoers.d.
Diffstat (limited to 'src')
-rw-r--r--src/Propellor/Property/Sudo.hs3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/Propellor/Property/Sudo.hs b/src/Propellor/Property/Sudo.hs
index 12660aa9..ad577439 100644
--- a/src/Propellor/Property/Sudo.hs
+++ b/src/Propellor/Property/Sudo.hs
@@ -18,6 +18,8 @@ import Propellor.Property.User
--
-- If the main sudoers file contains a conflicting line for
-- the user for ALL commands, the line will be removed.
+--
+-- Also ensures that the main sudoers file includes /etc/sudoers.d/
enabledFor :: User -> RevertableProperty DebianLike DebianLike
enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] <!> cleanup
where
@@ -25,6 +27,7 @@ enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] <!> cleanup
setup = property' desc $ \w -> do
locked <- liftIO $ isLockedPassword user
ensureProperty w $ combineProperties desc $ props
+ & containsLine sudoers "#includedir /etc/sudoers.d"
& fileProperty desc
(modify locked . filter (wanted locked))
dfile