From be447e4c9380055dd43b1cfbde0545f790cf5b27 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 14 Oct 2018 13:34:51 -0400 Subject: make sure that /etc/sudoers includes sudoers.d Otherwise there's the risk that propellor's change in how it sets up sudoers locks an admin out, because they had a modified sudoers file that never got upgraded to include sudoers.d. --- src/Propellor/Property/Sudo.hs | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src') diff --git a/src/Propellor/Property/Sudo.hs b/src/Propellor/Property/Sudo.hs index 12660aa9..ad577439 100644 --- a/src/Propellor/Property/Sudo.hs +++ b/src/Propellor/Property/Sudo.hs @@ -18,6 +18,8 @@ import Propellor.Property.User -- -- If the main sudoers file contains a conflicting line for -- the user for ALL commands, the line will be removed. +-- +-- Also ensures that the main sudoers file includes /etc/sudoers.d/ enabledFor :: User -> RevertableProperty DebianLike DebianLike enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] cleanup where @@ -25,6 +27,7 @@ enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] cleanup setup = property' desc $ \w -> do locked <- liftIO $ isLockedPassword user ensureProperty w $ combineProperties desc $ props + & containsLine sudoers "#includedir /etc/sudoers.d" & fileProperty desc (modify locked . filter (wanted locked)) dfile -- cgit v1.2.3