diff options
Diffstat (limited to 'community/cloud-init/04-add-doas.patch')
-rw-r--r-- | community/cloud-init/04-add-doas.patch | 188 |
1 files changed, 0 insertions, 188 deletions
diff --git a/community/cloud-init/04-add-doas.patch b/community/cloud-init/04-add-doas.patch deleted file mode 100644 index 782d71c8394..00000000000 --- a/community/cloud-init/04-add-doas.patch +++ /dev/null @@ -1,188 +0,0 @@ -From: Dermot Bradley <dermot_bradley@yahoo.com> -Date: Thu, 26 Aug 2021 00:58 +0100 -Subject: [PATCH] cloud-init: Add doas support - -Add doas support to users_groups module. - ---- - -diff -aur a/cloudinit/config/cc_users_groups.py b/cloudinit/config/cc_users_groups.py ---- a/cloudinit/config/cc_users_groups.py -+++ b/cloudinit/config/cc_users_groups.py -@@ -52,14 +52,20 @@ - if the cloud-config can be intercepted. SSH authentication is preferred. - - .. note:: -+ If specifying a doas rule for a user, ensure that the syntax for the rule -+ is valid, as the only checking performed by cloud-init is to ensure that -+ the user referenced in the rule is the correct user. -+ -+.. note:: - If specifying a sudo rule for a user, ensure that the syntax for the rule - is valid, as it is not checked by cloud-init. - - .. note:: - Most of these configuration options will not be honored if the user - already exists. The following options are the exceptions; they are applied -- to already-existing users: ``plain_text_passwd``, ``hashed_passwd``, -- ``lock_passwd``, ``sudo``, ``ssh_authorized_keys``, ``ssh_redirect_user``. -+ to already-existing users: ``plain_text_passwd``, ``doas``, -+ ``hashed_passwd``, ``lock_passwd``, ``sudo``, ``ssh_authorized_keys``, -+ ``ssh_redirect_user``. - - The ``user`` key can be used to override the ``default_user`` configuration - defined in ``/etc/cloud/cloud.cfg``. The ``user`` value should be a dictionary -diff -aur a/cloudinit/config/schemas/schema-cloud-config-v1.json b/cloudinit/config/schemas/schema-cloud-config-v1.json ---- a/cloudinit/config/schemas/schema-cloud-config-v1.json -+++ b/cloudinit/config/schemas/schema-cloud-config-v1.json -@@ -24,6 +24,12 @@ - "description": "The user's login name. Required otherwise user creation will be skipped for this user.", - "type": "string" - }, -+ "doas": { -+ "description": "List of Doas rules to use. Absence of a doas value will result in no doas rules added for this user.", -+ "type": "array", -+ "items": {"type": "string"}, -+ "minItems": 1 -+ }, - "expiredate": { - "default": null, - "description": "Optional. Date on which the user's account will be disabled. Default: ``null``", -diff -aur a/cloudinit/distros/__init__.py b/cloudinit/distros/__init__.py ---- a/cloudinit/distros/__init__.py -+++ b/cloudinit/distros/__init__.py -@@ -72,6 +72,7 @@ - - usr_lib_exec = "/usr/lib" - hosts_fn = "/etc/hosts" -+ ci_doas_fn = "/etc/doas.d/cloud-init.conf" - ci_sudoers_fn = "/etc/sudoers.d/90-cloud-init-users" - hostname_conf_fn = "/etc/hostname" - tz_zone_dir = "/usr/share/zoneinfo" -@@ -604,6 +605,7 @@ - * ``plain_text_passwd`` - * ``hashed_passwd`` - * ``lock_passwd`` -+ * ``doas`` - * ``sudo`` - * ``ssh_authorized_keys`` - * ``ssh_redirect_user`` -@@ -629,6 +631,10 @@ - if kwargs.get("lock_passwd", True): - self.lock_passwd(name) - -+ # Configure doas access -+ if 'doas' in kwargs and kwargs['doas'] is not False: -+ self.write_doas_rules(name, kwargs['doas']) -+ - # Configure sudo access - if "sudo" in kwargs and kwargs["sudo"] is not False: - self.write_sudo_rules(name, kwargs["sudo"]) -@@ -716,6 +722,85 @@ - - return True - -+ def ensure_doas_dir(self, path): -+ # Ensure the directory actually exists -+ util.ensure_dir(path, 0o750) -+ -+ def is_doas_rule_valid(self, user, rule): -+ rule_pattern = r"^(?:permit|deny)" + \ -+ r"(?:\s+(?:nolog|nopass|persist|keepenv|setenv \{[^}]+\})+)*" + \ -+ r"\s+([a-zA-Z0-9_]+)+" + \ -+ r"(?:\s+as\s+[a-zA-Z0-9_]+)*" + \ -+ r"(?:\s+cmd\s+[^\s]+(?:\s+args\s+[^\s]+(?:\s*[^\s]+)*)*)*" + \ -+ r"\s*$" -+ -+ LOG.debug("Checking if user '%s' is referenced in doas rule %r", -+ user, rule) -+ -+ valid_match = re.search(rule_pattern, rule) -+ if valid_match: -+ LOG.debug("User '%s' referenced in doas rule", -+ valid_match.group(1)) -+ if valid_match.group(1) == user: -+ LOG.debug("Correct user is referenced in doas rule") -+ return True -+ else: -+ LOG.debug("Incorrect user '%s' is referenced in doas rule", -+ valid_match.group(1)) -+ return False -+ else: -+ LOG.debug("Doas rule does not appear to reference any user") -+ return False -+ -+ def write_doas_rules(self, user, rules, doas_file=None): -+ if not doas_file: -+ doas_file = self.ci_doas_fn -+ -+ if isinstance(rules, (list, tuple)): -+ for rule in rules: -+ if not self.is_doas_rule_valid(user, rule): -+ msg = "Invalid Doas rule %r for user '%s', not writing any Doas rules for user!" % (rule, user) -+ LOG.error(msg) -+ return -+ elif isinstance(rules, str): -+ if not self.is_doas_rule_valid(user, rule): -+ msg = "Invalid Doas rule %r for user '%s', not writing any Doas rules for user!" % (rule, user) -+ LOG.error(msg) -+ return -+ -+ lines = [ -+ "", -+ "# User rules for %s" % user, -+ ] -+ if isinstance(rules, (list, tuple)): -+ for rule in rules: -+ lines.append("%s" % rule) -+ elif isinstance(rules, str): -+ lines.append("%s" % rules) -+ else: -+ msg = "Can not create Doas rule addition with type %r" -+ raise TypeError(msg % (type_utils.obj_name(rules))) -+ content = "\n".join(lines) -+ content += "\n" # trailing newline -+ -+ self.ensure_doas_dir(os.path.dirname(doas_file)) -+ if not os.path.exists(doas_file): -+ contents = [ -+ util.make_header(), -+ content, -+ ] -+ try: -+ util.write_file(doas_file, "\n".join(contents), 0o440) -+ except IOError as e: -+ util.logexc(LOG, "Failed to write Doas file %s", doas_file) -+ raise e -+ else: -+ try: -+ util.append_file(doas_file, content) -+ except IOError as e: -+ util.logexc(LOG, "Failed to append Doas file %s", doas_file) -+ raise e -+ - def ensure_sudo_dir(self, path, sudo_base="/etc/sudoers"): - # Ensure the dir is included and that - # it actually exists as a directory -diff -aur a/config/cloud.cfg.tmpl b/config/cloud.cfg.tmpl ---- a/config/cloud.cfg.tmpl -+++ b/config/cloud.cfg.tmpl -@@ -265,6 +265,9 @@ - lock_passwd: True - gecos: {{ variant }} Cloud User - {% endif %} -+{% if variant == "alpine" %} -+ doas: ["permit nopass alpine"] -+{% endif %} - {% if variant == "suse" %} - groups: [cdrom, users] - {% elif variant == "gentoo" %} -@@ -272,7 +275,7 @@ - primary_group: users - no_user_group: true - {% elif variant == "alpine" %} -- groups: [adm, sudo] -+ groups: [adm, sudo, wheel] - {% elif variant == "arch" %} - groups: [wheel, users] - {% elif variant == "rhel" %} |