Merge pull request #142 from IMBArator/policykit-settings

make AdminIdentity configureable per user
This commit is contained in:
N 2019-06-18 15:59:54 +01:00 committed by GitHub
commit d80338d4a0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 47 additions and 3 deletions

View File

@ -55,6 +55,8 @@ users:
- ALL=(otheruser) /usr/bin/script.sh - ALL=(otheruser) /usr/bin/script.sh
sudo_defaults: sudo_defaults:
- '!requiretty' - '!requiretty'
# enable polkitadmin to make user an AdminIdentity for polkit
polkitadmin: True
shell: /bin/bash shell: /bin/bash
remove_groups: False remove_groups: False
prime_group: prime_group:

View File

@ -3,6 +3,7 @@
{% set used_sudo = [] %} {% set used_sudo = [] %}
{% set used_googleauth = [] %} {% set used_googleauth = [] %}
{% set used_user_files = [] %} {% set used_user_files = [] %}
{% set used_polkit = [] %}
{% for group, setting in salt['pillar.get']('groups', {}).items() %} {% for group, setting in salt['pillar.get']('groups', {}).items() %}
{% if setting.absent is defined and setting.absent or setting.get('state', "present") == 'absent' %} {% if setting.absent is defined and setting.absent or setting.get('state', "present") == 'absent' %}
@ -38,9 +39,12 @@ users_group_present_{{ group }}:
{%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %} {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %}
{%- do used_user_files.append(1) %} {%- do used_user_files.append(1) %}
{%- endif %} {%- endif %}
{%- if user.get('polkitadmin', False) == True %}
{%- do used_polkit.append(1) %}
{%- endif %}
{%- endfor %} {%- endfor %}
{%- if used_sudo or used_googleauth or used_user_files %} {%- if used_sudo or used_googleauth or used_user_files or used_polkit %}
include: include:
{%- if used_sudo %} {%- if used_sudo %}
- users.sudo - users.sudo
@ -51,6 +55,9 @@ include:
{%- if used_user_files %} {%- if used_user_files %}
- users.user_files - users.user_files
{%- endif %} {%- endif %}
{%- if used_polkit %}
- users.polkit
{%- endif %}
{%- endif %} {%- endif %}
{% for name, user in pillar.get('users', {}).items() {% for name, user in pillar.get('users', {}).items()

View File

@ -27,7 +27,9 @@
'bash_package': 'bash', 'bash_package': 'bash',
'sudo_package': 'sudo', 'sudo_package': 'sudo',
'googleauth_package': 'libpam-google-authenticator', 'googleauth_package': 'libpam-google-authenticator',
}, 'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
'polkit_defaults': 'unix-group:sudo;'
},
'Gentoo': { 'Gentoo': {
'sudoers_dir': '/etc/sudoers.d', 'sudoers_dir': '/etc/sudoers.d',
'sudoers_file': '/etc/sudoers', 'sudoers_file': '/etc/sudoers',
@ -82,6 +84,8 @@
'bash_package': 'bash', 'bash_package': 'bash',
'sudo_package': 'sudo', 'sudo_package': 'sudo',
'googleauth_package': 'libpam-google-authenticator', 'googleauth_package': 'libpam-google-authenticator',
'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
'polkit_defaults': 'unix-group:sudo;'
}, },
}, merge=salt['pillar.get']('users-formula:lookup')), }, merge=salt['pillar.get']('users-formula:lookup')),
base='users', base='users',

31
users/polkit.sls Normal file
View File

@ -0,0 +1,31 @@
{% from "users/map.jinja" import users with context %}
{% set polkitusers = {} %}
{% set polkitusers = {'value': ''} %}
{% for name, user in pillar.get('users', {}).items() %}
{% if user.absent is not defined or not user.absent %}
{% if 'polkitadmin' in user and user['polkitadmin'] %}
{% do polkitusers.update({'value': polkitusers.value + 'unix-user:' + name + ';'}) %}
{% endif %}
{% endif %}
{% endfor %}
{% if polkitusers.value != '' %}
users_{{ users.polkit_dir }}/99salt-users-formula.conf:
file.managed:
- replace: True
- onlyif: 'test -d {{ users.polkit_dir }}'
- name: {{ users.polkit_dir }}/99salt-users-formula.conf
- contents: |
########################################################################
# File managed by Salt (users-formula).
# Your changes will be overwritten.
########################################################################
#
[Configuration]
AdminIdentities={{ users.polkit_defaults }}{{ polkitusers.value }}
{% else %}
users_{{ users.polkit_dir }}/99salt-users-formula.conf_delete:
file.absent:
- name: {{ users.polkit_dir }}/99salt-users-formula.conf
{% endif %}