ExternalMirrors
/
linux-formula
mirror of https://github.com/salt-formulas/salt-formula-linux
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 8 Wiki Activity
Browse Source

Add sudo state, salt-managed aliases,users,groups 

- apply review comments
- add visudo check cmd
tags/2017.4
Petr Michalec 7 years ago
parent
2377c62757
commit
1c4c8d8932
10 changed files with 358 additions and 6 deletions
Unified View Show Diff Stats
  1. +110
    -2
      README.rst
  2. +3
    -2
      linux/files/sudoer
  3. +19
    -0
      linux/files/sudoer-aliases
  4. +7
    -0
      linux/files/sudoer-groups
  5. +7
    -0
      linux/files/sudoer-users
  6. +1
    -0
      linux/system/group.sls
  7. +3
    -0
      linux/system/init.sls
  8. +73
    -0
      linux/system/sudo.sls
  9. +1
    -0
      linux/system/user.sls
  10. +134
    -2
      tests/pillar/system.sls

+ 110
- 2
README.rst View File


===== =====
Linux Linux
===== =====
timezone: 'Europe/Prague' timezone: 'Europe/Prague'
utc: true utc: true


Linux with system users, sowe with password set
Linux with system users, some with password set


.. code-block:: yaml .. code-block:: yaml


home: '/home/jsmith' home: '/home/jsmith'
password: userpassword password: userpassword


Configure sudo for users and groups under ``/etc/sudoers.d/``.
This ways ``linux.system.sudo`` pillar map to actual sudo attributes:

.. code-block:: jinja
# simplified template:
Cmds_Alias {{ alias }}={{ commands }}
{{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
%{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}

# when rendered:
saltuser1 ALL=(ALL) NOPASSWD: ALL


.. code-block:: yaml
linux:
system:
sudo:
enabled: true
alias:
host:
LOCAL:
- localhost
PRODUCTION:
- db1
- db2
runas:
DBA:
- postgres
- mysql
SALT:
- root
command:
# Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
# Best practice is to specify full list of commands user is allowed to run.
SUPPORT_RESTRICTED:
- /bin/vi /etc/sudoers*
- /bin/vim /etc/sudoers*
- /bin/nano /etc/sudoers*
- /bin/emacs /etc/sudoers*
- /bin/su - root
- /bin/su -
- /bin/su
- /usr/sbin/visudo
SUPPORT_SHELLS:
- /bin/sh
- /bin/ksh
- /bin/bash
- /bin/rbash
- /bin/dash
- /bin/zsh
- /bin/csh
- /bin/fish
- /bin/tcsh
- /usr/bin/login
- /usr/bin/su
- /usr/su
ALL_SALT_SAFE:
- /usr/bin/salt state*
- /usr/bin/salt service*
- /usr/bin/salt pillar*
- /usr/bin/salt grains*
- /usr/bin/salt saltutil*
- /usr/bin/salt-call state*
- /usr/bin/salt-call service*
- /usr/bin/salt-call pillar*
- /usr/bin/salt-call grains*
- /usr/bin/salt-call saltutil*
SALT_TRUSTED:
- /usr/bin/salt*
users:
# saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
saltuser1: {}
saltuser2:
hosts:
- LOCAL
# User Alias DBA
DBA:
hosts:
- ALL
commands:
- ALL_SALT_SAFE
groups:
db-ops:
hosts:
- ALL
- '!PRODUCTION'
runas:
- DBA
commands:
- /bin/cat *
- /bin/less *
- /bin/ls *
salt-ops:
hosts:
- 'ALL'
runas:
- SALT
commands:
- SUPPORT_SHELLS
salt-ops-2nd:
name: salt-ops
nopasswd: false
runas:
- DBA
commands:
- ALL
- '!SUPPORT_SHELLS'
- '!SUPPORT_RESTRICTED'

Linux with package, latest version Linux with package, latest version


.. code-block:: yaml .. code-block:: yaml

+ 3
- 2
linux/files/sudoer View File

# managed by salt

# sudoer file managed by salt-minion
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
# user {{ user_name }} is system administrator. # user {{ user_name }} is system administrator.
# It has passwordless sudo functionality. # It has passwordless sudo functionality.
{{ user_name }} ALL=(ALL) NOPASSWD:ALL {{ user_name }} ALL=(ALL) NOPASSWD:ALL

+ 19
- 0
linux/files/sudoer-aliases View File

# sudoer aliases, file managed by salt-minion
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

{%- for alias,commands in aliases.get('command',{}).iteritems() %}
Cmnd_Alias {{ alias }}={{ commands|join(', ') }}
{%- endfor %}

{%- for alias,users in aliases.get('user',{}).iteritems() %}
User_Alias {{ alias }}={{ users|join(', ') }}
{%- endfor %}

{%- for alias,users in aliases.get('runas',{}).iteritems() %}
Runas_Alias {{ alias }}={{ users|join(', ') }}
{%- endfor %}

{%- for alias,hosts in aliases.get('host',{}).iteritems() %}
Host_Alias {{ alias }}={{ hosts|join(', ') }}
{%- endfor %}


+ 7
- 0
linux/files/sudoer-groups View File

# sudoer groups, file managed by salt-minion
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

{%- for group,spec in groups.iteritems() %}
%{{ spec.name|default(group) }} {{ spec.get('hosts', ['ALL'])|join(',') }}=({{ spec.get('runas', ['ALL'])|join(', ') }}) {% if spec.get('nopasswd', True) %}NOPASSWD: {% endif %}{{ spec.get('commands', ['ALL'])|join(', ') }}
{%- endfor %}


+ 7
- 0
linux/files/sudoer-users View File

# sudoer users, file managed by salt-minion
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

{%- for user,spec in users.iteritems() %}
{{ spec.name|default(user) }} {{ spec.get('hosts', ['ALL'])|join(',') }}=({{ spec.get('runas', ['ALL'])|join(', ') }}) {% if spec.get('nopasswd', True) %}NOPASSWD: {% endif %}{{ spec.get('commands', ['ALL'])|join(', ') }}
{%- endfor %}


+ 1
- 0
linux/system/group.sls View File

{%- endfor %} {%- endfor %}


{%- endif %} {%- endif %}


+ 3
- 0
linux/system/init.sls View File

{%- if system.config is defined %} {%- if system.config is defined %}
- linux.system.config - linux.system.config
{%- endif %} {%- endif %}
{%- if system.sudo is defined %}
- linux.system.sudo
{%- endif %}

+ 73
- 0
linux/system/sudo.sls View File

{%- from "linux/map.jinja" import system with context %}
{%- if system.enabled %}

{%- if system.get('sudo', {}).get('enabled', False) %}

{%- if system.get('sudo', {}).get('aliases', False) is mapping %}
/etc/sudoers.d/90-salt-sudo-aliases:
file.managed:
- source: salt://linux/files/sudoer-aliases
- template: jinja
- user: root
- group: root
- mode: 440
- defaults:
aliases: {{ system.sudo.aliases|yaml }}
- check_cmd: /usr/sbin/visudo -c -f
{%- else %}
/etc/sudoers.d/90-salt-sudo-aliases:
file.absent:
- name: /etc/sudoers.d/90-salt-sudo-aliases
{%- endif %}


{%- if system.get('sudo', {}).get('users', False) is mapping %}
/etc/sudoers.d/91-salt-sudo-users:
file.managed:
- source: salt://linux/files/sudoer-users
- template: jinja
- user: root
- group: root
- mode: 440
- defaults:
users: {{ system.sudo.users|yaml }}
- check_cmd: /usr/sbin/visudo -c -f
{%- else %}
/etc/sudoers.d/91-salt-sudo-users:
file.absent:
- name: /etc/sudoers.d/91-salt-sudo-users
{%- endif %}

{%- if system.get('sudo', {}).get('groups', False) is mapping %}
/etc/sudoers.d/91-salt-sudo-groups:
file.managed:
- source: salt://linux/files/sudoer-groups
- template: jinja
- user: root
- group: root
- mode: 440
- defaults:
groups: {{ system.sudo.groups|yaml }}
- check_cmd: /usr/sbin/visudo -c -f
{%- else %}
/etc/sudoers.d/91-salt-sudo-groups:
file.absent:
- name: /etc/sudoers.d/91-salt-sudo-groups
{%- endif %}

{%- else %}

/etc/sudoers.d/90-salt-sudo-aliases:
file.absent:
- name: /etc/sudoers.d/90-salt-sudo-aliases

/etc/sudoers.d/91-salt-sudo-users:
file.absent:
- name: /etc/sudoers.d/91-salt-sudo-users

/etc/sudoers.d/91-salt-sudo-groups:
file.absent:
- name: /etc/sudoers.d/91-salt-sudo-groups

{%- endif %}
{%- endif %}

+ 1
- 0
linux/system/user.sls View File

user_name: {{ name }} user_name: {{ name }}
- require: - require:
- user: system_user_{{ name }} - user: system_user_{{ name }}
- check_cmd: /usr/sbin/visudo -c -f


{%- endif %} {%- endif %}



+ 134
- 2
tests/pillar/system.sls View File

system: system:
enabled: true enabled: true
cluster: default cluster: default
name: test01
name: linux
timezone: Europe/Prague timezone: Europe/Prague
domain: local domain: local
environment: prd environment: prd
hostname: system.pillar.local
apparmor: apparmor:
enabled: false enabled: false
haveged: haveged:
rate: 115200 rate: 115200
term: xterm term: xterm
prompt: prompt:
default: "test01.local$"
default: "linux.ci.local$"
kernel: kernel:
sriov: True sriov: True
isolcpu: 1,2,3,4 isolcpu: 1,2,3,4
uid: 9999 uid: 9999
full_name: Test User full_name: Test User
home: /home/test home: /home/test
groups:
- root
salt_user1:
enabled: true
name: saltuser1
sudo: false
uid: 9991
full_name: Salt User1
home: /home/saltuser1
salt_user2:
enabled: true
name: saltuser2
sudo: false
uid: 9992
full_name: Salt Sudo User2
home: /home/saltuser2
group: group:
test: test:
enabled: true enabled: true
name: test name: test
gid: 9999 gid: 9999
system: true system: true
db-ops:
enabled: true
name: testgroup
salt-ops:
enabled: true
name: sudogroup0
sudogroup1:
enabled: true
name: sudogroup1
sudogroup2:
enabled: true
name: sudogroup2
sudogroup3:
enabled: false
name: sudogroup3
job: job:
test: test:
enabled: true enabled: true
enabled: true enabled: true
autoupdates: autoupdates:
enabled: true enabled: true
sudo:
enabled: true
alias:
runas:
DBA:
- postgres
- mysql
SALT:
- root
host:
LOCAL:
- localhost
PRODUCTION:
- db1
- db2
command:
SUDO_RESTRICTED_SU:
- /bin/vi /etc/sudoers
- /bin/su - root
- /bin/su -
- /bin/su
- /usr/sbin/visudo
SUDO_SHELLS:
- /bin/sh
- /bin/ksh
- /bin/bash
- /bin/rbash
- /bin/dash
- /bin/zsh
- /bin/csh
- /bin/fish
- /bin/tcsh
- /usr/bin/login
- /usr/bin/su
- /usr/su
SUDO_SALT_SAFE:
- /usr/bin/salt state*
- /usr/bin/salt service*
- /usr/bin/salt pillar*
- /usr/bin/salt grains*
- /usr/bin/salt saltutil*
- /usr/bin/salt-call state*
- /usr/bin/salt-call service*
- /usr/bin/salt-call pillar*
- /usr/bin/salt-call grains*
- /usr/bin/salt-call saltutil*
SUDO_SALT_TRUSTED:
- /usr/bin/salt*
users:
saltuser1: {}
saltuser2:
hosts:
- LOCAL
# User Alias:
DBA:
hosts:
- ALL
commands:
- SUDO_SALT_SAFE
groups:
db-ops:
hosts:
- ALL
- '!PRODUCTION'
runas:
- DBA
commands:
- /bin/cat *
- /bin/less *
- /bin/ls *
- SUDO_SALT_SAFE
- '!SUDO_SHELLS'
- '!SUDO_RESTRICTED_SU'
salt-ops:
hosts:
- 'ALL'
runas:
- SALT
commands:
- SUDO_SALT_TRUSTED
salt-ops2:
name: salt-ops
runas:
- DBA
commands:
- SUDO_SHELLS
sudogroup1:
commands:
- ALL
sudogroup2:
commands:
- ALL
hosts:
- localhost
users:
- test
nopasswd: false
sudogroup3:
commands:
- ALL

Write Preview
Loading…
Cancel
Save