ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-07-16 09:55:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Use visudo to validate sudoers rules before use

Browse source
This commit is contained in:
Jon Ellis 2022-06-05 23:15:52 +01:00
parent c6d4a0db80
commit 8c16daf766
2 changed files with 51 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

16
plugins/modules/system/sudoers.py
View file

@ -109,6 +109,7 @@ EXAMPLES = '''
'''
import os
import subprocess
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.common.text.converters import to_native
@ -134,6 +135,8 @@ class Sudoers(object):
with open(self.file, 'w') as f:
f.write(self.content())
os.chmod(self.file, 0o440)
def delete(self):
if self.check_mode:
return
@ -158,11 +161,24 @@ class Sudoers(object):
runas_str = '({runas})'.format(runas=self.runas) if self.runas is not None else ''
return "{owner} ALL={runas}{nopasswd} {commands}\n".format(owner=owner, runas=runas_str, nopasswd=nopasswd_str, commands=commands_str)
def validate(self):
# fork to visudo
content = bytes(self.content(), 'utf-8')
check_command = ['visudo', '-c', '-f', '-']
check = subprocess.Popen(check_command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = check.communicate(input=content)
if check.returncode != 0:
raise Exception('Failed to validate sudoers rule:\n{stdout}'.format(stdout=stdout))
def run(self):
if self.state == 'absent' and self.exists():
self.delete()
return True
self.validate()
if self.exists() and self.matches():
return False