diff options
| author | Dan Fandrich <danf@mageia.org> | 2024-09-30 16:38:20 -0700 |
|---|---|---|
| committer | Dan Fandrich <danf@mageia.org> | 2024-09-30 16:45:03 -0700 |
| commit | 2a2686188674bee2b19bef5f09b11f80fd63046b (patch) | |
| tree | 8ea9faa79d1d2e0420a115c74c07258ff4ff4404 /modules | |
| parent | ca3d3ce540b88d0ca3d4f43f7bbbba28b462ef99 (diff) | |
| download | puppet-2a2686188674bee2b19bef5f09b11f80fd63046b.tar puppet-2a2686188674bee2b19bef5f09b11f80fd63046b.tar.gz puppet-2a2686188674bee2b19bef5f09b11f80fd63046b.tar.bz2 puppet-2a2686188674bee2b19bef5f09b11f80fd63046b.tar.xz puppet-2a2686188674bee2b19bef5f09b11f80fd63046b.zip | |
Tighten the sudo for the maintdb scripts
Make sudoers a bit more robust against attempts to play with the
arguments. Unfortunately, our sudo is too old to support regexes.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/buildsystem/templates/maintdb/sudoers.maintdb | 6 | ||||
| -rw-r--r-- | modules/buildsystem/templates/maintdb/wrapper.maintdb | 3 |
2 files changed, 5 insertions, 4 deletions
diff --git a/modules/buildsystem/templates/maintdb/sudoers.maintdb b/modules/buildsystem/templates/maintdb/sudoers.maintdb index c4bef4cb..4744e534 100644 --- a/modules/buildsystem/templates/maintdb/sudoers.maintdb +++ b/modules/buildsystem/templates/maintdb/sudoers.maintdb @@ -1,2 +1,4 @@ -%<%= scope.lookupvar('buildsystem::var::groups::packagers') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> -<%= scope.lookupvar('buildsystem::var::scheduler::login') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> +%<%= scope.lookupvar('buildsystem::var::groups::packagers') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* [gs]et [a-zA-Z0-9]* +%<%= scope.lookupvar('buildsystem::var::groups::packagers') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* set [a-zA-Z0-9]* [a-z]* +<%= scope.lookupvar('buildsystem::var::scheduler::login') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* [gs]et [a-zA-Z0-9]* +<%= scope.lookupvar('buildsystem::var::scheduler::login') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* set [a-zA-Z0-9]* [a-z]* diff --git a/modules/buildsystem/templates/maintdb/wrapper.maintdb b/modules/buildsystem/templates/maintdb/wrapper.maintdb index 2adddd1e..fcf69dab 100644 --- a/modules/buildsystem/templates/maintdb/wrapper.maintdb +++ b/modules/buildsystem/templates/maintdb/wrapper.maintdb @@ -22,5 +22,4 @@ then exit 1 fi -sudo -u "$maintdbuser" "$maintdbpath" $(whoami) $@ - +sudo -u "$maintdbuser" "$maintdbpath" $(whoami) "$@" |