osbuild icon indicating copy to clipboard operation
osbuild copied to clipboard

Published 20 hours ago verified publisher icon osbuild

stages: add a `sudoers` stage

Open supakeen opened this issue 2 years ago • 7 comments

An initial implementation of a sudoers stage.

This is currently really basic as in it only takes some placeholders like so:

        {
          "type": "org.osbuild.sudoers",
          "options": {
            "filename": "/etc/sudoers.d/10-test",
            "specifications": [
              {
                "user": "user",
                "host": "ALL",
                "target": "ALL",
                "command": "ALL"
              }
            ]
          }
        }

And formats them into a file.

  • [ ] Validate data in fields according to the EBNF of sudo.
  • [x] Do we want the types to be arrays and do the joining on , ourselves for User_List, etc
  • [ ] Do we want to validate that users/groups actually exist?
  • [ ] Do we want to run visudo -cf on the resultant file?

This idea came from the #947 PR.

supakeen avatar May 30 '22 09:05 supakeen

With the merge of #1037, this now passes tests (at least locally) so I'm changing this from draft to an actual PR so we can discuss schema and scope.

user@desktopa osbuild € sudo pytest -vv test/run/test_stages.py -k sudoers
=============================== test session starts ===============================
platform linux -- Python 3.10.4, pytest-6.2.5, py-1.11.0, pluggy-1.0.0 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /home/supakeen/src/osbuild
plugins: anyio-3.5.0
collected 60 items / 59 deselected / 1 selected                                   

test/run/test_stages.py::TestStages::test_sudoers PASSED                    [100%]

=================== 1 passed, 59 deselected in 85.10s (0:01:25) ===================

supakeen avatar Jun 01 '22 08:06 supakeen

Does it ever make sense to have these files anywhere else than /etc/sudo.d/? Could we hard code the directory?

teg avatar Jun 18 '22 10:06 teg

@teg I think the only option I could see is if you want to write /etc/sudoers directly. That's likely a bad plan on the manifest creators side so hardcoding the prefix seems good to me.

supakeen avatar Jun 18 '22 10:06 supakeen

i think we hardcode the "correct" path in other stages. usually we go for /usr if supported, but not sure if sudo supports that

teg avatar Jun 18 '22 10:06 teg

  • Hardcoded the /etc/sudoers.d path. Changed filename pattern to not allow /.

supakeen avatar Jul 29 '22 13:07 supakeen

I think this needs to run visudo -cs on the resulting changes to validate them. Otherwise you can end up with a situation where bad user input may be really difficult to debug.

bcl avatar Oct 07 '22 23:10 bcl

@bcl Yea, I feel the same way. I'll add it. Theoretically we should be unable to generate a faulty sudoers file, practically it can probably happen.

supakeen avatar Oct 08 '22 10:10 supakeen