Browse Source
Check for sudo_rules before text.append state.
Since ebe5198f, if a user's pillar dict didn't contain sudo_rules, a broken file.append state would be rendered (since some text is required). With this patch, the file is still created/managed by the previous state, but will be empty by default if created fresh. This seems a more sensible default than assuming a default sudoer policy. Further, since the first word on each rule line should be the user's name, that is now assumed.tags/v0.45.0
Adam Wright
11 years ago
1 changed files with 9 additions and 7 deletions
+ 9
- 7
users/init.sls
View File
| - user: root | - user: root | ||||
| - group: root | - group: root | ||||
| - mode: '0440' | - mode: '0440' | ||||
| {% if 'sudo_rules' in user %} | |||||
| /etc/sudoers.d/{{ name }}: | /etc/sudoers.d/{{ name }}: | ||||
| file.append: | file.append: | ||||
| - text: | |||||
| {% for rule in user.get('sudo_rules', []) %} | |||||
| - {{ rule }} | |||||
| {% endfor %} | |||||
| - require: | |||||
| - file: sudoer-defaults | |||||
| - file: sudoer-{{ name }} | |||||
| - text: | |||||
| {% for rule in user['sudo_rules'] %} | |||||
| - "{{ name }} {{ rule }}" | |||||
| {% endfor %} | |||||
| - require: | |||||
| - file: sudoer-defaults | |||||
| - file: sudoer-{{ name }} | |||||
| {% endif %} | |||||
| {% else %} | {% else %} | ||||
| /etc/sudoers.d/{{ name }}: | /etc/sudoers.d/{{ name }}: | ||||
| file.absent: | file.absent: |
Loading…