enh: sudoers: support per-OS templates, add one for FreeBSD

This commit is contained in:
Stéphane Lesimple 2020-11-17 11:31:34 +01:00
parent 7085b2d091
commit 0b0200951e
2 changed files with 11 additions and 1 deletions

View file

@ -42,8 +42,16 @@ generate_account_sudoers()
chmod 0440 "${dst}.tmp"
{
echo "# generated from install script"
for template in $(find "$basedir/etc/sudoers.account.template.d/" -type f | sort)
for template in $(find "$basedir/etc/sudoers.account.template.d/" -type f -name "*.sudoers" | sort)
do
# if $template has two dots, then it's of the form XXX-name.$os.sudoers,
# in that case we only include this template if $os is our current OS
if [ "$(echo "$template" | cut -d. -f3)" = "sudoers" ]; then
if [ "$(echo "$template" | cut -d. -f2 | tr '[:upper:]' '[:lower:]')" != "$(echo "$OS_FAMILY" | tr '[:upper:]' '[:lower:]')" ]; then
# not the same OS, skip it
continue
fi
fi
echo
echo "# $template:"
perl -pe "s!%ACCOUNT%!$account!g;s!%NORMACCOUNT%!$normalized_account!g;s!%BASEPATH%!$basedir!g" "$template"

View file

@ -0,0 +1,2 @@
# under FreeBSD, non-root accounts can't read /etc/spwd.db and there's no helper for pam_unix.so to authenticate users
%ACCOUNT% ALL=(root) NOPASSWD:/usr/bin/env pamtester sshd %ACCOUNT% authenticate