From b149aba5c77b908c7bfb4b041f50231d0fdddcf9 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Fri, 30 Dec 2016 13:04:30 +0100 Subject: [PATCH] committing changes in /etc after emerge run Package changes: +app-admin/sudo-1.8.18_p1 --- .etckeeper | 6 +++ ldap.conf.sudo | 6 +++ openldap/schema/sudo.schema | 76 +++++++++++++++++++++++++++++ pam.d/sudo | 6 +++ portage/world | 1 + sudoers | 97 +++++++++++++++++++++++++++++++++++++ 6 files changed, 192 insertions(+) create mode 100644 ldap.conf.sudo create mode 100644 openldap/schema/sudo.schema create mode 100644 pam.d/sudo create mode 100644 sudoers diff --git a/.etckeeper b/.etckeeper index d9d7a67..7b00e86 100755 --- a/.etckeeper +++ b/.etckeeper @@ -19,6 +19,7 @@ mkdir -p './puppetlabs/puppet/ssl/private' mkdir -p './security/limits.d' mkdir -p './security/namespace.d' mkdir -p './skel/.ssh' +mkdir -p './sudoers.d' mkdir -p './udev/hwdb.d' mkdir -p './udev/rules.d' maybe chmod 0755 '.' @@ -505,6 +506,7 @@ maybe chmod 0644 'layman/overlays/.keep_app-portage_layman-0' maybe chmod 0644 'ld.so.conf' maybe chmod 0755 'ld.so.conf.d' maybe chmod 0644 'ld.so.conf.d/05gcc-x86_64-pc-linux-gnu.conf' +maybe chmod 0440 'ldap.conf.sudo' maybe chmod 0644 'leinrc' maybe chmod 0640 'libaudit.conf' maybe chmod 0755 'local.d' @@ -594,6 +596,7 @@ maybe chmod 0444 'openldap/schema/ppolicy.ldif' maybe chmod 0444 'openldap/schema/ppolicy.schema' maybe chmod 0644 'openldap/schema/puppet.schema' maybe chmod 0644 'openldap/schema/rfc2307bis.schema' +maybe chmod 0644 'openldap/schema/sudo.schema' maybe chgrp 'ldap' 'openldap/slapd.conf' maybe chmod 0640 'openldap/slapd.conf' maybe chgrp 'ldap' 'openldap/slapd.conf.default' @@ -638,6 +641,7 @@ maybe chmod 0644 'pam.d/shadow' maybe chmod 0644 'pam.d/sshd' maybe chmod 0644 'pam.d/start-stop-daemon' maybe chmod 0644 'pam.d/su' +maybe chmod 0644 'pam.d/sudo' maybe chmod 0644 'pam.d/supervise-daemon' maybe chmod 0644 'pam.d/system-auth' maybe chmod 0644 'pam.d/system-local-login' @@ -905,6 +909,8 @@ maybe chmod 0755 'ssmtp' maybe chmod 0644 'ssmtp/revaliases' maybe chgrp 'ssmtp' 'ssmtp/ssmtp.conf' maybe chmod 0640 'ssmtp/ssmtp.conf' +maybe chmod 0440 'sudoers' +maybe chmod 0750 'sudoers.d' maybe chmod 0644 'sysctl.conf' maybe chmod 0755 'sysctl.d' maybe chmod 0644 'sysctl.d/README' diff --git a/ldap.conf.sudo b/ldap.conf.sudo new file mode 100644 index 0000000..9d894b5 --- /dev/null +++ b/ldap.conf.sudo @@ -0,0 +1,6 @@ +# See ldap.conf(5) and README.LDAP for details +# This file should only be readable by root + +# supported directives: host, port, ssl, ldap_version +# uri, binddn, bindpw, sudoers_base, sudoers_debug +# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key} diff --git a/openldap/schema/sudo.schema b/openldap/schema/sudo.schema new file mode 100644 index 0000000..d3e95e0 --- /dev/null +++ b/openldap/schema/sudo.schema @@ -0,0 +1,76 @@ +# +# OpenLDAP schema file for Sudo +# Save as /etc/openldap/schema/sudo.schema +# + +attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo (deprecated)' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ + description ) + ) diff --git a/pam.d/sudo b/pam.d/sudo new file mode 100644 index 0000000..b94d487 --- /dev/null +++ b/pam.d/sudo @@ -0,0 +1,6 @@ +# File autogenerated by pamd_mimic in pam eclass + + +auth include system-auth +account include system-auth +session include system-auth diff --git a/portage/world b/portage/world index 5f87afe..0327d28 100644 --- a/portage/world +++ b/portage/world @@ -13,6 +13,7 @@ app-portage/layman app-portage/portage-utils app-shells/bash-completion app-vim/puppet-syntax +dev-db/postgresql dev-java/leiningen-bin dev-java/oracle-jdk-bin dev-ruby/hiera diff --git a/sudoers b/sudoers new file mode 100644 index 0000000..c1563c9 --- /dev/null +++ b/sudoers @@ -0,0 +1,97 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to use a hard-coded PATH instead of the user's to find commands +# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +## (the '#' here does not indicate a comment) +#includedir /etc/sudoers.d -- 2.39.5