diff options
| author | Joey Hess <joeyh@joeyh.name> | 2017-07-17 12:42:31 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2017-07-17 12:42:31 -0400 |
| commit | b6d650730be9369b89623f46cb773dcc880630cb (patch) | |
| tree | 0fe40b365b3e9e99f7df2c180eb87dd00c068ca6 /src | |
| parent | cb885b8a925fcaaec3e3685fc5cd4c369593afef (diff) | |
Propellor.Property.Sudo.enabledFor: Made revertable
(minor API change)
This commit was sponsored by Henrik Riomar on Patreon.
Diffstat (limited to 'src')
| -rw-r--r-- | src/Propellor/Property/Sudo.hs | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/src/Propellor/Property/Sudo.hs b/src/Propellor/Property/Sudo.hs index 45ab8af2..1614801d 100644 --- a/src/Propellor/Property/Sudo.hs +++ b/src/Propellor/Property/Sudo.hs @@ -9,23 +9,33 @@ import Propellor.Property.User -- | Allows a user to sudo. If the user has a password, sudo is configured -- to require it. If not, NOPASSWORD is enabled for the user. -enabledFor :: User -> Property DebianLike -enabledFor user@(User u) = go `requires` Apt.installed ["sudo"] +enabledFor :: User -> RevertableProperty DebianLike DebianLike +enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] <!> cleanup where - go :: Property UnixLike - go = property' desc $ \w -> do + setup :: Property UnixLike + setup = property' desc $ \w -> do locked <- liftIO $ isLockedPassword user ensureProperty w $ fileProperty desc (modify locked . filter (wanted locked)) - "/etc/sudoers" - desc = u ++ " is sudoer" + sudoers + where + desc = u ++ " is sudoer" + + cleanup :: Property DebianLike + cleanup = tightenTargets $ + fileProperty desc (filter notuserline) sudoers + where + desc = u ++ " is not sudoer" + + sudoers = "/etc/sudoers" sudobaseline = u ++ " ALL=(ALL:ALL)" + notuserline l = not (sudobaseline `isPrefixOf` l) sudoline True = sudobaseline ++ " NOPASSWD:ALL" sudoline False = sudobaseline ++ " ALL" wanted locked l -- TOOD: Full sudoers file format parse.. - | not (sudobaseline `isPrefixOf` l) = True + | notuserline l = True | "NOPASSWD" `isInfixOf` l = locked | otherwise = True modify locked ls |