From c0395aadcbaf17db5490f7724dcba2a7e30db2d3 Mon Sep 17 00:00:00 2001 From: Quotengrote <38253905+quotengrote@users.noreply.github.com> Date: Fri, 23 Oct 2020 12:53:30 +0200 Subject: [PATCH] =?UTF-8?q?zfs=20f=C3=BCr=20non-root=20User=20+=20visudo?= =?UTF-8?q?=20(#54)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * ZFS Commands RO für non-Root-User angelegt * Visudo für alle Tasks die in /etc/sudoers.d arbeiten * linter 201 --- roles/mgrote.create_users/tasks/main.yml | 1 + roles/mgrote.zfs_tools/tasks/main.yml | 12 ++++++++++++ roles/mgrote.zfs_tools/templates/sudoers_zfs | 18 ++++++++++++++++++ 3 files changed, 31 insertions(+) create mode 100644 roles/mgrote.zfs_tools/templates/sudoers_zfs diff --git a/roles/mgrote.create_users/tasks/main.yml b/roles/mgrote.create_users/tasks/main.yml index 7f924cb1..d3f68703 100644 --- a/roles/mgrote.create_users/tasks/main.yml +++ b/roles/mgrote.create_users/tasks/main.yml @@ -38,4 +38,5 @@ template: src: sudoers dest: /etc/sudoers.d/{{ create_user_name }} + validate: /usr/sbin/visudo -cf %s # no_log: true diff --git a/roles/mgrote.zfs_tools/tasks/main.yml b/roles/mgrote.zfs_tools/tasks/main.yml index cb29b37e..ed874bcd 100644 --- a/roles/mgrote.zfs_tools/tasks/main.yml +++ b/roles/mgrote.zfs_tools/tasks/main.yml @@ -83,3 +83,15 @@ mode: 0555 src: zfs-free.sh dest: /usr/local/bin/zfs-free.sh + + - name: Erlaube "non-root" Usern Read-Only ZFS Commands + become: yes + template: + src: sudoers_zfs + dest: /etc/sudoers.d/zfs + owner: root + group: root + force: yes + backup: yes + mode: 0440 + validate: /usr/sbin/visudo -cf %s diff --git a/roles/mgrote.zfs_tools/templates/sudoers_zfs b/roles/mgrote.zfs_tools/templates/sudoers_zfs new file mode 100644 index 00000000..0acd6387 --- /dev/null +++ b/roles/mgrote.zfs_tools/templates/sudoers_zfs @@ -0,0 +1,18 @@ +# Allow read-only ZoL commands to be called through sudo +# without a password. Remove the first '#' column to enable. +# +# CAUTION: Any syntax error introduced here will break sudo. +# +# Cmnd alias specification +Cmnd_Alias C_ZFS = \ + /sbin/zfs "", /sbin/zfs help *, \ + /sbin/zfs get, /sbin/zfs get *, \ + /sbin/zfs list, /sbin/zfs list *, \ + /sbin/zpool "", /sbin/zpool help *, \ + /sbin/zpool iostat, /sbin/zpool iostat *, \ + /sbin/zpool list, /sbin/zpool list *, \ + /sbin/zpool status, /sbin/zpool status *, \ + /sbin/zpool upgrade, /sbin/zpool upgrade -v +# +# allow any user to use basic read-only ZFS commands +ALL ALL = (root) NOPASSWD: C_ZFS