[PR #7983/49bd9cbd backport][stable-8] Add noexec support to sudoers (#8012)

Add noexec support to sudoers (#7983) * Add noexec support to sudoers * Add changelog fragment #7983 * Fix yml formatting in fragment 7983 * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> --------- Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit 49bd9cbd3c) Co-authored-by: adaniaud <adaniaud@users.noreply.github.com>
2025-04-24 19:31:26 -07:00 · 2024-02-23 07:08:04 +00:00 · 2024-02-23 07:08:04 +00:00 · a7a2631333
commit a7a2631333
parent c089260c88
3 changed files with 40 additions and 1 deletions
--- a/plugins/modules/sudoers.py
+++ b/plugins/modules/sudoers.py
@ -45,6 +45,12 @@ options:
      - The name of the sudoers rule.
      - This will be used for the filename for the sudoers file managed by this rule.
    type: str
+  noexec:
+    description:
+      - Whether a command is prevented to run further commands itself.
+    default: false
+    type: bool
+    version_added: 8.4.0
  nopassword:
    description:
      - Whether a password will be required to run the sudo'd command.
@ -143,6 +149,15 @@ EXAMPLES = '''
    user: alice
    commands: /usr/local/bin/upload
    setenv: true
+
+- name: >-
+    Allow alice to sudo /usr/bin/less but prevent less from
+    running further commands itself
+  community.general.sudoers:
+    name: allow-alice-restricted-less
+    user: alice
+    commands: /usr/bin/less
+    noexec: true
 '''

 import os
@ -162,6 +177,7 @@ class Sudoers(object):
        self.user = module.params['user']
        self.group = module.params['group']
        self.state = module.params['state']
+        self.noexec = module.params['noexec']
        self.nopassword = module.params['nopassword']
        self.setenv = module.params['setenv']
        self.host = module.params['host']
@ -205,13 +221,15 @@ class Sudoers(object):
            owner = '%{group}'.format(group=self.group)

        commands_str = ', '.join(self.commands)
+        noexec_str = 'NOEXEC:' if self.noexec else ''
        nopasswd_str = 'NOPASSWD:' if self.nopassword else ''
        setenv_str = 'SETENV:' if self.setenv else ''
        runas_str = '({runas})'.format(runas=self.runas) if self.runas is not None else ''
-        return "{owner} {host}={runas}{nopasswd}{setenv} {commands}\n".format(
+        return "{owner} {host}={runas}{noexec}{nopasswd}{setenv} {commands}\n".format(
            owner=owner,
            host=self.host,
            runas=runas_str,
+            noexec=noexec_str,
            nopasswd=nopasswd_str,
            setenv=setenv_str,
            commands=commands_str
@ -258,6 +276,10 @@ def main():
        'name': {
            'required': True,
        },
+        'noexec': {
+            'type': 'bool',
+            'default': False,
+        },
        'nopassword': {
            'type': 'bool',
            'default': True,