summaryrefslogtreecommitdiff
path: root/Propellor/Property/Sudo.hs
blob: 0548441102d49a6903ad8330ee22e30798ade673 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
module Propellor.Property.Sudo where

import Data.List

import Propellor.Common
import Propellor.Property.File
import qualified Propellor.Property.Apt as Apt
import Propellor.Property.User

{- | Allows a user to sudo. If the user has a password, sudo is configured
 - to require it. If not, NOPASSWORD is enabled for the user.
 -
 - TOOD: Full sudoers file format parse.. 
 -}
enabledFor :: UserName -> Property
enabledFor user = Property desc go `requires` Apt.installed ["sudo"]
  where
	go = do
		locked <- isLockedPassword user
		ensureProperty $
			fileProperty desc
				(modify locked . filter (wanted locked))
				"/etc/sudoers"
	desc = user ++ " is sudoer"
	sudobaseline = user ++ " ALL=(ALL:ALL)"
	sudoline True = sudobaseline ++ " NOPASSWD:ALL"
	sudoline False = sudobaseline ++ " ALL"
	wanted locked l
		| not (sudobaseline `isPrefixOf` l) = True
		| "NOPASSWD" `isInfixOf` l = locked
		| otherwise = True
 	modify locked ls
		| sudoline locked `elem` ls = ls
		| otherwise = ls ++ [sudoline locked]