From 90cc6c203928332a15b1bf55790490b63c6798bc Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Fri, 13 Jan 2017 21:50:36 +0100 Subject: [PATCH 01/12] add policy kit admin identity configuration for non root users under Debian and Ubuntu --- users/init.sls | 27 +++++++++++++++++++++++++++ users/map.jinja | 2 ++ 2 files changed, 29 insertions(+) diff --git a/users/init.sls b/users/init.sls index 969c3d0..03d2fe1 100644 --- a/users/init.sls +++ b/users/init.sls @@ -415,6 +415,27 @@ users_{{ users.sudoers_dir }}/{{ name }}: - name: {{ users.sudoers_dir }}/{{ name }} {% endif %} +# Policykit AdminIdentities Logik +{%- if 'polkitadmin' in user and user['polkitadmin'] %} +users_{{ users.polkit_dir }}/{{ name }}: + file.managed: + - replace: True + - onlyif: 'test -d {{ users.polkit_dir }}' + - name: {{ users.polkit_dir }}/{{ name }}.conf + - contents: | + ######################################################################## + # File managed by Salt (users-formula). + # Your changes will be overwritten. + ######################################################################## + # + [Configuration] + AdminIdentities=unix-user:{{ name }} +{%- else %} +users_{{ users.polkit_dir }}/{{ name }}: + file.absent: + - name: {{ users.polkit_dir }}/{{ name }}.conf +{%- endif %} + {%- if 'google_auth' in user %} {%- for svc in user['google_auth'] %} users_googleauth-{{ svc }}-{{ name }}: @@ -484,6 +505,9 @@ users_absent_user_{{ name }}: users_{{ users.sudoers_dir }}/{{ name }}: file.absent: - name: {{ users.sudoers_dir }}/{{ name }} +users_{{ users.polkit_dir }}/{{ name }}: + file.absent: + - name: {{ users.polkit_dir }}/{{ name }}.conf {% endfor %} {% for user in pillar.get('absent_users', []) %} @@ -493,6 +517,9 @@ users_absent_user_2_{{ user }}: users_2_{{ users.sudoers_dir }}/{{ user }}: file.absent: - name: {{ users.sudoers_dir }}/{{ user }} +users_2_{{ users.polkit_dir }}/{{ name }}: + file.absent: + - name: {{ users.polkit_dir }}/{{ name }}.conf {% endfor %} {% for group in pillar.get('absent_groups', []) %} diff --git a/users/map.jinja b/users/map.jinja index f81acc4..acadf33 100644 --- a/users/map.jinja +++ b/users/map.jinja @@ -10,6 +10,7 @@ 'bash_package': 'bash', 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', + 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', }, 'Gentoo': { 'sudoers_dir': '/etc/sudoers.d', @@ -43,5 +44,6 @@ 'bash_package': 'bash', 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', + 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', }, }, merge=salt['pillar.get']('users:lookup')) %} From 1f509a9a7fbe74a6187921886385ac60cbc7d97f Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Fri, 13 Jan 2017 21:55:15 +0100 Subject: [PATCH 02/12] update pillar.example --- pillar.example | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pillar.example b/pillar.example index 256303a..c45d5ac 100644 --- a/pillar.example +++ b/pillar.example @@ -38,6 +38,8 @@ users: - ALL=(otheruser) /usr/bin/script.sh sudo_defaults: - '!requiretty' + # enable polkitadmin to make user an AdminIdentity for polkit + polkitadmin: True shell: /bin/bash remove_groups: False prime_group: From e2360c89f41576bde1f71aff6ff2d4e980ba7a6f Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Sun, 22 Jan 2017 12:43:38 +0100 Subject: [PATCH 03/12] fix polkit settings to write all users in one file --- users/init.sls | 28 +--------------------------- users/polkit.sls | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 27 deletions(-) create mode 100644 users/polkit.sls diff --git a/users/init.sls b/users/init.sls index 03d2fe1..a61ada8 100644 --- a/users/init.sls +++ b/users/init.sls @@ -22,6 +22,7 @@ {%- if used_sudo or used_googleauth or used_user_files %} include: + - users.polkit {%- if used_sudo %} - users.sudo {%- endif %} @@ -415,27 +416,6 @@ users_{{ users.sudoers_dir }}/{{ name }}: - name: {{ users.sudoers_dir }}/{{ name }} {% endif %} -# Policykit AdminIdentities Logik -{%- if 'polkitadmin' in user and user['polkitadmin'] %} -users_{{ users.polkit_dir }}/{{ name }}: - file.managed: - - replace: True - - onlyif: 'test -d {{ users.polkit_dir }}' - - name: {{ users.polkit_dir }}/{{ name }}.conf - - contents: | - ######################################################################## - # File managed by Salt (users-formula). - # Your changes will be overwritten. - ######################################################################## - # - [Configuration] - AdminIdentities=unix-user:{{ name }} -{%- else %} -users_{{ users.polkit_dir }}/{{ name }}: - file.absent: - - name: {{ users.polkit_dir }}/{{ name }}.conf -{%- endif %} - {%- if 'google_auth' in user %} {%- for svc in user['google_auth'] %} users_googleauth-{{ svc }}-{{ name }}: @@ -505,9 +485,6 @@ users_absent_user_{{ name }}: users_{{ users.sudoers_dir }}/{{ name }}: file.absent: - name: {{ users.sudoers_dir }}/{{ name }} -users_{{ users.polkit_dir }}/{{ name }}: - file.absent: - - name: {{ users.polkit_dir }}/{{ name }}.conf {% endfor %} {% for user in pillar.get('absent_users', []) %} @@ -517,9 +494,6 @@ users_absent_user_2_{{ user }}: users_2_{{ users.sudoers_dir }}/{{ user }}: file.absent: - name: {{ users.sudoers_dir }}/{{ user }} -users_2_{{ users.polkit_dir }}/{{ name }}: - file.absent: - - name: {{ users.polkit_dir }}/{{ name }}.conf {% endfor %} {% for group in pillar.get('absent_groups', []) %} diff --git a/users/polkit.sls b/users/polkit.sls new file mode 100644 index 0000000..7024c33 --- /dev/null +++ b/users/polkit.sls @@ -0,0 +1,32 @@ +{% from "users/map.jinja" import users with context %} +{% set polkitusers = {} %} +{% set polkitusers = {'value': ''} %} + +{% for name, user in pillar.get('users', {}).items() %} + {% if user.absent is not defined or not user.absent %} + {% if 'polkitadmin' in user and user['polkitadmin'] %} + {% if polkitusers.update({'value': polkitusers.value + 'unix-user:' + name + ';'}) %} + {% endif %} + {% endif %} + {% endif %} +{% endfor %} + +{% if polkitusers.value != '' %} +users_{{ users.polkit_dir }}/99salt-users-formula.conf: + file.managed: + - replace: True + - onlyif: 'test -d {{ users.polkit_dir }}' + - name: {{ users.polkit_dir }}/99salt-users-formula.conf + - contents: | + ######################################################################## + # File managed by Salt (users-formula). + # Your changes will be overwritten. + ######################################################################## + # + [Configuration] + AdminIdentities={{ polkitusers.value }} +{% else %} +users_{{ users.polkit_dir }}/99salt-users-formula.conf_delete: + file.absent: + - name: {{ users.polkit_dir }}/99salt-users-formula.conf +{% endif %} From 18690da4a3fe2fe7dc5f1a5556fe19633427c17b Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Sun, 22 Jan 2017 13:43:49 +0100 Subject: [PATCH 04/12] fix placement of polkit include --- users/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/init.sls b/users/init.sls index a61ada8..547a460 100644 --- a/users/init.sls +++ b/users/init.sls @@ -22,7 +22,6 @@ {%- if used_sudo or used_googleauth or used_user_files %} include: - - users.polkit {%- if used_sudo %} - users.sudo {%- endif %} @@ -33,6 +32,7 @@ include: - users.user_files {%- endif %} {%- endif %} + - users.polkit {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} From 1463f65e6bce6dddd611cb9b74b641bcdc6acb59 Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Mon, 23 Jan 2017 10:36:49 +0100 Subject: [PATCH 05/12] add polkir AdminIdentities default system configs --- users/map.jinja | 2 ++ users/polkit.sls | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/users/map.jinja b/users/map.jinja index acadf33..1237066 100644 --- a/users/map.jinja +++ b/users/map.jinja @@ -11,6 +11,7 @@ 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', + 'polkit_defaults': 'unix-group:sudo;' }, 'Gentoo': { 'sudoers_dir': '/etc/sudoers.d', @@ -45,5 +46,6 @@ 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', + 'polkit_defaults': 'unix-group:sudo;' }, }, merge=salt['pillar.get']('users:lookup')) %} diff --git a/users/polkit.sls b/users/polkit.sls index 7024c33..df959bc 100644 --- a/users/polkit.sls +++ b/users/polkit.sls @@ -24,7 +24,7 @@ users_{{ users.polkit_dir }}/99salt-users-formula.conf: ######################################################################## # [Configuration] - AdminIdentities={{ polkitusers.value }} + AdminIdentities={{ users.polkit_defaults }}{{ polkitusers.value }} {% else %} users_{{ users.polkit_dir }}/99salt-users-formula.conf_delete: file.absent: From fdc8ac66cb6c8f1e689df5bfe7e8d76acc1f2740 Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Thu, 2 Feb 2017 13:40:31 +0100 Subject: [PATCH 06/12] add ability to configure prime_group without gid --- users/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/users/init.sls b/users/init.sls index 969c3d0..0bbe8c8 100644 --- a/users/init.sls +++ b/users/init.sls @@ -101,6 +101,8 @@ users_{{ name }}_user: {% endif -%} {% if 'prime_group' in user and 'gid' in user['prime_group'] -%} - gid: {{ user['prime_group']['gid'] }} + {% elif 'prime_group' in user and 'name' in user['prime_group']%} + - gid: {{ user['prime_group']['name'] }} {% else -%} - gid_from_name: True {% endif -%} From 32b9c21bd5580ea25f81ac6b94343f23af8a5ab2 Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Thu, 2 Feb 2017 17:15:24 +0100 Subject: [PATCH 07/12] fix typo --- users/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/init.sls b/users/init.sls index 0bbe8c8..a4f6cba 100644 --- a/users/init.sls +++ b/users/init.sls @@ -101,7 +101,7 @@ users_{{ name }}_user: {% endif -%} {% if 'prime_group' in user and 'gid' in user['prime_group'] -%} - gid: {{ user['prime_group']['gid'] }} - {% elif 'prime_group' in user and 'name' in user['prime_group']%} + {% elif 'prime_group' in user and 'name' in user['prime_group'] %} - gid: {{ user['prime_group']['name'] }} {% else -%} - gid_from_name: True From b905c8c5ef00cc05740f5e3e8fc13dfa3be0c9e3 Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Fri, 13 Jan 2017 21:50:36 +0100 Subject: [PATCH 08/12] add policy kit admin identity configuration for non root users under Debian and Ubuntu --- users/init.sls | 27 +++++++++++++++++++++++++++ users/map.jinja | 2 ++ 2 files changed, 29 insertions(+) diff --git a/users/init.sls b/users/init.sls index a4f6cba..30ed5fc 100644 --- a/users/init.sls +++ b/users/init.sls @@ -417,6 +417,27 @@ users_{{ users.sudoers_dir }}/{{ name }}: - name: {{ users.sudoers_dir }}/{{ name }} {% endif %} +# Policykit AdminIdentities Logik +{%- if 'polkitadmin' in user and user['polkitadmin'] %} +users_{{ users.polkit_dir }}/{{ name }}: + file.managed: + - replace: True + - onlyif: 'test -d {{ users.polkit_dir }}' + - name: {{ users.polkit_dir }}/{{ name }}.conf + - contents: | + ######################################################################## + # File managed by Salt (users-formula). + # Your changes will be overwritten. + ######################################################################## + # + [Configuration] + AdminIdentities=unix-user:{{ name }} +{%- else %} +users_{{ users.polkit_dir }}/{{ name }}: + file.absent: + - name: {{ users.polkit_dir }}/{{ name }}.conf +{%- endif %} + {%- if 'google_auth' in user %} {%- for svc in user['google_auth'] %} users_googleauth-{{ svc }}-{{ name }}: @@ -486,6 +507,9 @@ users_absent_user_{{ name }}: users_{{ users.sudoers_dir }}/{{ name }}: file.absent: - name: {{ users.sudoers_dir }}/{{ name }} +users_{{ users.polkit_dir }}/{{ name }}: + file.absent: + - name: {{ users.polkit_dir }}/{{ name }}.conf {% endfor %} {% for user in pillar.get('absent_users', []) %} @@ -495,6 +519,9 @@ users_absent_user_2_{{ user }}: users_2_{{ users.sudoers_dir }}/{{ user }}: file.absent: - name: {{ users.sudoers_dir }}/{{ user }} +users_2_{{ users.polkit_dir }}/{{ name }}: + file.absent: + - name: {{ users.polkit_dir }}/{{ name }}.conf {% endfor %} {% for group in pillar.get('absent_groups', []) %} diff --git a/users/map.jinja b/users/map.jinja index f81acc4..acadf33 100644 --- a/users/map.jinja +++ b/users/map.jinja @@ -10,6 +10,7 @@ 'bash_package': 'bash', 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', + 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', }, 'Gentoo': { 'sudoers_dir': '/etc/sudoers.d', @@ -43,5 +44,6 @@ 'bash_package': 'bash', 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', + 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', }, }, merge=salt['pillar.get']('users:lookup')) %} From 110e83b9c3aed1bb520c70865721cd117b65e382 Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Fri, 13 Jan 2017 21:55:15 +0100 Subject: [PATCH 09/12] update pillar.example --- pillar.example | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pillar.example b/pillar.example index 256303a..c45d5ac 100644 --- a/pillar.example +++ b/pillar.example @@ -38,6 +38,8 @@ users: - ALL=(otheruser) /usr/bin/script.sh sudo_defaults: - '!requiretty' + # enable polkitadmin to make user an AdminIdentity for polkit + polkitadmin: True shell: /bin/bash remove_groups: False prime_group: From 6e3a507ac3b776b2d125efd14332b12c8cfe0e4b Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Sun, 22 Jan 2017 12:43:38 +0100 Subject: [PATCH 10/12] fix polkit settings to write all users in one file --- users/init.sls | 28 +--------------------------- users/polkit.sls | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 27 deletions(-) create mode 100644 users/polkit.sls diff --git a/users/init.sls b/users/init.sls index 30ed5fc..ffbc251 100644 --- a/users/init.sls +++ b/users/init.sls @@ -22,6 +22,7 @@ {%- if used_sudo or used_googleauth or used_user_files %} include: + - users.polkit {%- if used_sudo %} - users.sudo {%- endif %} @@ -417,27 +418,6 @@ users_{{ users.sudoers_dir }}/{{ name }}: - name: {{ users.sudoers_dir }}/{{ name }} {% endif %} -# Policykit AdminIdentities Logik -{%- if 'polkitadmin' in user and user['polkitadmin'] %} -users_{{ users.polkit_dir }}/{{ name }}: - file.managed: - - replace: True - - onlyif: 'test -d {{ users.polkit_dir }}' - - name: {{ users.polkit_dir }}/{{ name }}.conf - - contents: | - ######################################################################## - # File managed by Salt (users-formula). - # Your changes will be overwritten. - ######################################################################## - # - [Configuration] - AdminIdentities=unix-user:{{ name }} -{%- else %} -users_{{ users.polkit_dir }}/{{ name }}: - file.absent: - - name: {{ users.polkit_dir }}/{{ name }}.conf -{%- endif %} - {%- if 'google_auth' in user %} {%- for svc in user['google_auth'] %} users_googleauth-{{ svc }}-{{ name }}: @@ -507,9 +487,6 @@ users_absent_user_{{ name }}: users_{{ users.sudoers_dir }}/{{ name }}: file.absent: - name: {{ users.sudoers_dir }}/{{ name }} -users_{{ users.polkit_dir }}/{{ name }}: - file.absent: - - name: {{ users.polkit_dir }}/{{ name }}.conf {% endfor %} {% for user in pillar.get('absent_users', []) %} @@ -519,9 +496,6 @@ users_absent_user_2_{{ user }}: users_2_{{ users.sudoers_dir }}/{{ user }}: file.absent: - name: {{ users.sudoers_dir }}/{{ user }} -users_2_{{ users.polkit_dir }}/{{ name }}: - file.absent: - - name: {{ users.polkit_dir }}/{{ name }}.conf {% endfor %} {% for group in pillar.get('absent_groups', []) %} diff --git a/users/polkit.sls b/users/polkit.sls new file mode 100644 index 0000000..7024c33 --- /dev/null +++ b/users/polkit.sls @@ -0,0 +1,32 @@ +{% from "users/map.jinja" import users with context %} +{% set polkitusers = {} %} +{% set polkitusers = {'value': ''} %} + +{% for name, user in pillar.get('users', {}).items() %} + {% if user.absent is not defined or not user.absent %} + {% if 'polkitadmin' in user and user['polkitadmin'] %} + {% if polkitusers.update({'value': polkitusers.value + 'unix-user:' + name + ';'}) %} + {% endif %} + {% endif %} + {% endif %} +{% endfor %} + +{% if polkitusers.value != '' %} +users_{{ users.polkit_dir }}/99salt-users-formula.conf: + file.managed: + - replace: True + - onlyif: 'test -d {{ users.polkit_dir }}' + - name: {{ users.polkit_dir }}/99salt-users-formula.conf + - contents: | + ######################################################################## + # File managed by Salt (users-formula). + # Your changes will be overwritten. + ######################################################################## + # + [Configuration] + AdminIdentities={{ polkitusers.value }} +{% else %} +users_{{ users.polkit_dir }}/99salt-users-formula.conf_delete: + file.absent: + - name: {{ users.polkit_dir }}/99salt-users-formula.conf +{% endif %} From 6714c3620f8813d7e52e716328d27c3bd494b406 Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Sun, 22 Jan 2017 13:43:49 +0100 Subject: [PATCH 11/12] fix placement of polkit include --- users/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/init.sls b/users/init.sls index ffbc251..8bcfbab 100644 --- a/users/init.sls +++ b/users/init.sls @@ -22,7 +22,6 @@ {%- if used_sudo or used_googleauth or used_user_files %} include: - - users.polkit {%- if used_sudo %} - users.sudo {%- endif %} @@ -33,6 +32,7 @@ include: - users.user_files {%- endif %} {%- endif %} + - users.polkit {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} From db658f061273a9605d9a4a578084301fc756beee Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Mon, 23 Jan 2017 10:36:49 +0100 Subject: [PATCH 12/12] add polkir AdminIdentities default system configs --- users/map.jinja | 2 ++ users/polkit.sls | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/users/map.jinja b/users/map.jinja index acadf33..1237066 100644 --- a/users/map.jinja +++ b/users/map.jinja @@ -11,6 +11,7 @@ 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', + 'polkit_defaults': 'unix-group:sudo;' }, 'Gentoo': { 'sudoers_dir': '/etc/sudoers.d', @@ -45,5 +46,6 @@ 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', + 'polkit_defaults': 'unix-group:sudo;' }, }, merge=salt['pillar.get']('users:lookup')) %} diff --git a/users/polkit.sls b/users/polkit.sls index 7024c33..df959bc 100644 --- a/users/polkit.sls +++ b/users/polkit.sls @@ -24,7 +24,7 @@ users_{{ users.polkit_dir }}/99salt-users-formula.conf: ######################################################################## # [Configuration] - AdminIdentities={{ polkitusers.value }} + AdminIdentities={{ users.polkit_defaults }}{{ polkitusers.value }} {% else %} users_{{ users.polkit_dir }}/99salt-users-formula.conf_delete: file.absent: