Allow Runas specification to be optional

The Runas_Spec is an optional statement in sudo configuration [1]: > If no Runas_Spec is specified, the command may only be run as the > runas_default user (root by default) and the group, if specified, > must be one that the runas_default user is a member of. This commit allows omitting the 'as:' in the role's 'sudo_list*[].sudo' list mappings. [1]: https://www.sudo.ws/docs/man/1.9.15/sudoers.man/#Runas_Spec
GROG · Jan 27, 2024 · 3dd512f · 3dd512f
1 parent 3d1744f
commit 3dd512f
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -117,7 +117,7 @@ attributes for each list entry;
 | Variable      | Description       | Required | Default |
 |---------------|-------------------|----------|---------|
 | `hosts`       | Hosts             | yes      | /       |
-| `as`          | Operators         | yes      | /       |
+| `as`          | Operators         | no       | /       |
 | `commands`    | Commands          | yes      | /       |
 | `nopasswd`    | NOPASSWD flag     | no       | `no`    |
 | `passwd`      | PASSWD flag       | no       | `no`    |
@@ -145,6 +145,8 @@ sudo_list:
       - hosts: ALL
         as: root
         commands: /usr/sbin/poweroff
+      - hosts: ALL
+        commands: /usr/sbin/reboot
         nopasswd: yes
       - hosts: ALL
         as: ALL

diff --git a/templates/etc-sudoers.d-group_template.j2 b/templates/etc-sudoers.d-group_template.j2
@@ -2,9 +2,9 @@
 
 # Group privilege specification
 {% if item.sudo.hosts is defined %}
-%{{ item.name }} {{ item.sudo.hosts }}=({{ item.sudo.as }}){{ " NOPASSWD:" if ( item.sudo.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( item.sudo.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( item.sudo.noexec | default(false) ) else "" }}{{ "EXEC:" if ( item.sudo.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( item.sudo.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( item.sudo.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( item.sudo.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( item.sudo.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( item.sudo.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( item.sudo.logoutput | default(false) ) else "" }} {{ item.sudo.commands }}
+%{{ item.name }} {{ item.sudo.hosts }}={% if item.sudo.as is defined %}({{ item.sudo.as }}){% endif %}{{ " NOPASSWD:" if ( item.sudo.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( item.sudo.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( item.sudo.noexec | default(false) ) else "" }}{{ "EXEC:" if ( item.sudo.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( item.sudo.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( item.sudo.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( item.sudo.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( item.sudo.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( item.sudo.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( item.sudo.logoutput | default(false) ) else "" }} {{ item.sudo.commands }}
 {% else %}
 {% for entry in item.sudo %}
-%{{ item.name }} {{ entry.hosts }}=({{ entry.as }}){{ " NOPASSWD:" if ( entry.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( entry.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( entry.noexec | default(false) ) else "" }}{{ "EXEC:" if ( entry.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( entry.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( entry.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( entry.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( entry.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( entry.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( entry.logoutput | default(false) ) else "" }} {{ entry.commands }}
+%{{ item.name }} {{ entry.hosts }}={% if entry.as is defined %}({{ entry.as }}){% endif %}{{ " NOPASSWD:" if ( entry.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( entry.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( entry.noexec | default(false) ) else "" }}{{ "EXEC:" if ( entry.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( entry.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( entry.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( entry.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( entry.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( entry.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( entry.logoutput | default(false) ) else "" }} {{ entry.commands }}
 {% endfor %}
 {% endif %}
diff --git a/templates/etc-sudoers.d-user_template.j2 b/templates/etc-sudoers.d-user_template.j2
@@ -2,9 +2,9 @@
 
 # User privilege specification
 {% if item.sudo.hosts is defined %}
-{{ item.name }} {{ item.sudo.hosts }}=({{ item.sudo.as }}){{ " NOPASSWD:" if ( item.sudo.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( item.sudo.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( item.sudo.noexec | default(false) ) else "" }}{{ "EXEC:" if ( item.sudo.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( item.sudo.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( item.sudo.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( item.sudo.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( item.sudo.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( item.sudo.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( item.sudo.logoutput | default(false) ) else "" }} {{ item.sudo.commands }}
+{{ item.name }} {{ item.sudo.hosts }}={% if item.sudo.as is defined %}({{ item.sudo.as }}){% endif %}{{ " NOPASSWD:" if ( item.sudo.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( item.sudo.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( item.sudo.noexec | default(false) ) else "" }}{{ "EXEC:" if ( item.sudo.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( item.sudo.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( item.sudo.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( item.sudo.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( item.sudo.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( item.sudo.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( item.sudo.logoutput | default(false) ) else "" }} {{ item.sudo.commands }}
 {% else %}
 {% for entry in item.sudo %}
-{{ item.name }} {{ entry.hosts }}=({{ entry.as }}){{ " NOPASSWD:" if ( entry.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( entry.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( entry.noexec | default(false) ) else "" }}{{ "EXEC:" if ( entry.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( entry.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( entry.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( entry.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( entry.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( entry.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( entry.logoutput | default(false) ) else "" }} {{ entry.commands }}
+{{ item.name }} {{ entry.hosts }}={% if entry.as is defined %}({{ entry.as }}){% endif %}{{ " NOPASSWD:" if ( entry.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( entry.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( entry.noexec | default(false) ) else "" }}{{ "EXEC:" if ( entry.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( entry.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( entry.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( entry.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( entry.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( entry.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( entry.logoutput | default(false) ) else "" }} {{ entry.commands }}
 {% endfor %}
 {% endif %}