aboutsummaryrefslogtreecommitdiffstats
path: root/community/cloud-init/04-add-doas.patch
diff options
context:
space:
mode:
Diffstat (limited to 'community/cloud-init/04-add-doas.patch')
-rw-r--r--community/cloud-init/04-add-doas.patch188
1 files changed, 0 insertions, 188 deletions
diff --git a/community/cloud-init/04-add-doas.patch b/community/cloud-init/04-add-doas.patch
deleted file mode 100644
index 782d71c8394..00000000000
--- a/community/cloud-init/04-add-doas.patch
+++ /dev/null
@@ -1,188 +0,0 @@
-From: Dermot Bradley <dermot_bradley@yahoo.com>
-Date: Thu, 26 Aug 2021 00:58 +0100
-Subject: [PATCH] cloud-init: Add doas support
-
-Add doas support to users_groups module.
-
----
-
-diff -aur a/cloudinit/config/cc_users_groups.py b/cloudinit/config/cc_users_groups.py
---- a/cloudinit/config/cc_users_groups.py
-+++ b/cloudinit/config/cc_users_groups.py
-@@ -52,14 +52,20 @@
- if the cloud-config can be intercepted. SSH authentication is preferred.
-
- .. note::
-+ If specifying a doas rule for a user, ensure that the syntax for the rule
-+ is valid, as the only checking performed by cloud-init is to ensure that
-+ the user referenced in the rule is the correct user.
-+
-+.. note::
- If specifying a sudo rule for a user, ensure that the syntax for the rule
- is valid, as it is not checked by cloud-init.
-
- .. note::
- Most of these configuration options will not be honored if the user
- already exists. The following options are the exceptions; they are applied
-- to already-existing users: ``plain_text_passwd``, ``hashed_passwd``,
-- ``lock_passwd``, ``sudo``, ``ssh_authorized_keys``, ``ssh_redirect_user``.
-+ to already-existing users: ``plain_text_passwd``, ``doas``,
-+ ``hashed_passwd``, ``lock_passwd``, ``sudo``, ``ssh_authorized_keys``,
-+ ``ssh_redirect_user``.
-
- The ``user`` key can be used to override the ``default_user`` configuration
- defined in ``/etc/cloud/cloud.cfg``. The ``user`` value should be a dictionary
-diff -aur a/cloudinit/config/schemas/schema-cloud-config-v1.json b/cloudinit/config/schemas/schema-cloud-config-v1.json
---- a/cloudinit/config/schemas/schema-cloud-config-v1.json
-+++ b/cloudinit/config/schemas/schema-cloud-config-v1.json
-@@ -24,6 +24,12 @@
- "description": "The user's login name. Required otherwise user creation will be skipped for this user.",
- "type": "string"
- },
-+ "doas": {
-+ "description": "List of Doas rules to use. Absence of a doas value will result in no doas rules added for this user.",
-+ "type": "array",
-+ "items": {"type": "string"},
-+ "minItems": 1
-+ },
- "expiredate": {
- "default": null,
- "description": "Optional. Date on which the user's account will be disabled. Default: ``null``",
-diff -aur a/cloudinit/distros/__init__.py b/cloudinit/distros/__init__.py
---- a/cloudinit/distros/__init__.py
-+++ b/cloudinit/distros/__init__.py
-@@ -72,6 +72,7 @@
-
- usr_lib_exec = "/usr/lib"
- hosts_fn = "/etc/hosts"
-+ ci_doas_fn = "/etc/doas.d/cloud-init.conf"
- ci_sudoers_fn = "/etc/sudoers.d/90-cloud-init-users"
- hostname_conf_fn = "/etc/hostname"
- tz_zone_dir = "/usr/share/zoneinfo"
-@@ -604,6 +605,7 @@
- * ``plain_text_passwd``
- * ``hashed_passwd``
- * ``lock_passwd``
-+ * ``doas``
- * ``sudo``
- * ``ssh_authorized_keys``
- * ``ssh_redirect_user``
-@@ -629,6 +631,10 @@
- if kwargs.get("lock_passwd", True):
- self.lock_passwd(name)
-
-+ # Configure doas access
-+ if 'doas' in kwargs and kwargs['doas'] is not False:
-+ self.write_doas_rules(name, kwargs['doas'])
-+
- # Configure sudo access
- if "sudo" in kwargs and kwargs["sudo"] is not False:
- self.write_sudo_rules(name, kwargs["sudo"])
-@@ -716,6 +722,85 @@
-
- return True
-
-+ def ensure_doas_dir(self, path):
-+ # Ensure the directory actually exists
-+ util.ensure_dir(path, 0o750)
-+
-+ def is_doas_rule_valid(self, user, rule):
-+ rule_pattern = r"^(?:permit|deny)" + \
-+ r"(?:\s+(?:nolog|nopass|persist|keepenv|setenv \{[^}]+\})+)*" + \
-+ r"\s+([a-zA-Z0-9_]+)+" + \
-+ r"(?:\s+as\s+[a-zA-Z0-9_]+)*" + \
-+ r"(?:\s+cmd\s+[^\s]+(?:\s+args\s+[^\s]+(?:\s*[^\s]+)*)*)*" + \
-+ r"\s*$"
-+
-+ LOG.debug("Checking if user '%s' is referenced in doas rule %r",
-+ user, rule)
-+
-+ valid_match = re.search(rule_pattern, rule)
-+ if valid_match:
-+ LOG.debug("User '%s' referenced in doas rule",
-+ valid_match.group(1))
-+ if valid_match.group(1) == user:
-+ LOG.debug("Correct user is referenced in doas rule")
-+ return True
-+ else:
-+ LOG.debug("Incorrect user '%s' is referenced in doas rule",
-+ valid_match.group(1))
-+ return False
-+ else:
-+ LOG.debug("Doas rule does not appear to reference any user")
-+ return False
-+
-+ def write_doas_rules(self, user, rules, doas_file=None):
-+ if not doas_file:
-+ doas_file = self.ci_doas_fn
-+
-+ if isinstance(rules, (list, tuple)):
-+ for rule in rules:
-+ if not self.is_doas_rule_valid(user, rule):
-+ msg = "Invalid Doas rule %r for user '%s', not writing any Doas rules for user!" % (rule, user)
-+ LOG.error(msg)
-+ return
-+ elif isinstance(rules, str):
-+ if not self.is_doas_rule_valid(user, rule):
-+ msg = "Invalid Doas rule %r for user '%s', not writing any Doas rules for user!" % (rule, user)
-+ LOG.error(msg)
-+ return
-+
-+ lines = [
-+ "",
-+ "# User rules for %s" % user,
-+ ]
-+ if isinstance(rules, (list, tuple)):
-+ for rule in rules:
-+ lines.append("%s" % rule)
-+ elif isinstance(rules, str):
-+ lines.append("%s" % rules)
-+ else:
-+ msg = "Can not create Doas rule addition with type %r"
-+ raise TypeError(msg % (type_utils.obj_name(rules)))
-+ content = "\n".join(lines)
-+ content += "\n" # trailing newline
-+
-+ self.ensure_doas_dir(os.path.dirname(doas_file))
-+ if not os.path.exists(doas_file):
-+ contents = [
-+ util.make_header(),
-+ content,
-+ ]
-+ try:
-+ util.write_file(doas_file, "\n".join(contents), 0o440)
-+ except IOError as e:
-+ util.logexc(LOG, "Failed to write Doas file %s", doas_file)
-+ raise e
-+ else:
-+ try:
-+ util.append_file(doas_file, content)
-+ except IOError as e:
-+ util.logexc(LOG, "Failed to append Doas file %s", doas_file)
-+ raise e
-+
- def ensure_sudo_dir(self, path, sudo_base="/etc/sudoers"):
- # Ensure the dir is included and that
- # it actually exists as a directory
-diff -aur a/config/cloud.cfg.tmpl b/config/cloud.cfg.tmpl
---- a/config/cloud.cfg.tmpl
-+++ b/config/cloud.cfg.tmpl
-@@ -265,6 +265,9 @@
- lock_passwd: True
- gecos: {{ variant }} Cloud User
- {% endif %}
-+{% if variant == "alpine" %}
-+ doas: ["permit nopass alpine"]
-+{% endif %}
- {% if variant == "suse" %}
- groups: [cdrom, users]
- {% elif variant == "gentoo" %}
-@@ -272,7 +275,7 @@
- primary_group: users
- no_user_group: true
- {% elif variant == "alpine" %}
-- groups: [adm, sudo]
-+ groups: [adm, sudo, wheel]
- {% elif variant == "arch" %}
- groups: [wheel, users]
- {% elif variant == "rhel" %}