module Propellor.Property.Sudo where import Data.List import Propellor.Base import Propellor.Property.File import qualified Propellor.Property.Apt as Apt import Propellor.Property.User -- | Allows a user to sudo. If the user has a password, sudo is configured -- to require it. If not, NOPASSWORD is enabled for the user. enabledFor :: User -> RevertableProperty DebianLike DebianLike enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] cleanup where setup :: Property UnixLike setup = property' desc $ \w -> do locked <- liftIO $ isLockedPassword user ensureProperty w $ fileProperty desc (modify locked . filter (wanted locked)) sudoers where desc = u ++ " is sudoer" cleanup :: Property DebianLike cleanup = tightenTargets $ fileProperty desc (filter notuserline) sudoers where desc = u ++ " is not sudoer" sudoers = "/etc/sudoers" sudobaseline = u ++ " ALL=(ALL:ALL)" notuserline l = not (sudobaseline `isPrefixOf` l) sudoline True = sudobaseline ++ " NOPASSWD:ALL" sudoline False = sudobaseline ++ " ALL" wanted locked l -- TOOD: Full sudoers file format parse.. | notuserline l = True | "NOPASSWD" `isInfixOf` l = locked | otherwise = True modify locked ls | sudoline locked `elem` ls = ls | otherwise = ls ++ [sudoline locked]