From 1c65b86f8302cd42152e26c9d4fd24285a8e70c0 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 30 Mar 2014 20:46:31 -0400 Subject: propellor spin --- Makefile | 2 ++ Propellor.hs | 6 ++---- Property/Sudo.hs | 31 +++++++++++++++++++++++++++++++ 3 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 Property/Sudo.hs diff --git a/Makefile b/Makefile index 6571ffad..66f329e6 100644 --- a/Makefile +++ b/Makefile @@ -24,3 +24,5 @@ clean: # hothasktags chokes on some template haskell etc, so ignore errors tags: find . | grep -v /.git/ | grep -v /tmp/ | grep -v /dist/ | grep -v /doc/ | egrep '\.hs$$' | xargs hothasktags > tags 2>/dev/null + +.PHONY: tags diff --git a/Propellor.hs b/Propellor.hs index 2b7f978e..6870ca56 100644 --- a/Propellor.hs +++ b/Propellor.hs @@ -3,6 +3,7 @@ import CmdLine import qualified Property.File as File import qualified Property.Apt as Apt import qualified Property.Ssh as Ssh +import qualified Property.Sudo as Sudo import qualified Property.User as User import qualified Property.Hostname as Hostname import qualified Property.Reboot as Reboot @@ -48,11 +49,8 @@ standardSystem suite = propertyList "standard system" , check (Ssh.hasAuthorizedKeys "root") $ Ssh.passwordAuthentication False , User.sshAccountFor "joey" - , Apt.installed ["sudo"] - -- nopasswd because no password is set up for joey. - , "sudoer joey" ==> - "/etc/sudoers" `File.containsLine` "joey ALL=(ALL:ALL) NOPASSWD:ALL" , User.hasSomePassword "joey" + , Sudo.enabledFor "joey" , GitHome.installedFor "joey" , Apt.installed ["vim", "screen"] -- I use postfix, or no MTA. diff --git a/Property/Sudo.hs b/Property/Sudo.hs new file mode 100644 index 00000000..175f453a --- /dev/null +++ b/Property/Sudo.hs @@ -0,0 +1,31 @@ +module Property.Sudo where + +import Data.List + +import Common +import Property.File +import qualified Property.Apt as Apt +import Property.User + +{- Allows a user to sudo. If the user has a password, sudo is configured + - to require it. If not, NOPASSWORD is enabled for the user. -} +enabledFor :: UserName -> Property +enabledFor user = Property desc go `requires` Apt.installed ["sudo"] + where + go = do + locked <- isLockedPassword user + ensureProperty $ + fileProperty desc + (modify locked . filter (wanted locked)) + "/etc/sudoers" + desc = user ++ " is sudoer" + sudobaseline = user ++ " ALL=(ALL:ALL)" + sudoline True = sudobaseline ++ " NOPASSWD:ALL" + sudoline False = sudobaseline + wanted locked l + | not (sudobaseline `isPrefixOf` l) = True + | "NOPASSWD" `isInfixOf` l = locked + | otherwise = True + modify locked ls + | sudoline locked `elem` ls = ls + | otherwise = ls ++ [sudoline locked] -- cgit v1.2.3