From e1d0de230db376822ab236f7c501679b0eb71fd3 Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Thu, 2 Feb 2017 23:12:15 +0100 Subject: [PATCH 1/4] make AdminIdentity configureable per user --- pillar.example | 2 ++ users/init.sls | 1 + users/map.jinja | 4 ++++ users/polkit.sls | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 39 insertions(+) create mode 100644 users/polkit.sls diff --git a/pillar.example b/pillar.example index 256303a..c45d5ac 100644 --- a/pillar.example +++ b/pillar.example @@ -38,6 +38,8 @@ users: - ALL=(otheruser) /usr/bin/script.sh sudo_defaults: - '!requiretty' + # enable polkitadmin to make user an AdminIdentity for polkit + polkitadmin: True shell: /bin/bash remove_groups: False prime_group: diff --git a/users/init.sls b/users/init.sls index a4f6cba..8bcfbab 100644 --- a/users/init.sls +++ b/users/init.sls @@ -32,6 +32,7 @@ include: - users.user_files {%- endif %} {%- endif %} + - users.polkit {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} diff --git a/users/map.jinja b/users/map.jinja index f81acc4..1237066 100644 --- a/users/map.jinja +++ b/users/map.jinja @@ -10,6 +10,8 @@ 'bash_package': 'bash', 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', + 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', + 'polkit_defaults': 'unix-group:sudo;' }, 'Gentoo': { 'sudoers_dir': '/etc/sudoers.d', @@ -43,5 +45,7 @@ 'bash_package': 'bash', 'sudo_package': 'sudo', 'googleauth_package': 'libpam-google-authenticator', + 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', + 'polkit_defaults': 'unix-group:sudo;' }, }, merge=salt['pillar.get']('users:lookup')) %} diff --git a/users/polkit.sls b/users/polkit.sls new file mode 100644 index 0000000..df959bc --- /dev/null +++ b/users/polkit.sls @@ -0,0 +1,32 @@ +{% from "users/map.jinja" import users with context %} +{% set polkitusers = {} %} +{% set polkitusers = {'value': ''} %} + +{% for name, user in pillar.get('users', {}).items() %} + {% if user.absent is not defined or not user.absent %} + {% if 'polkitadmin' in user and user['polkitadmin'] %} + {% if polkitusers.update({'value': polkitusers.value + 'unix-user:' + name + ';'}) %} + {% endif %} + {% endif %} + {% endif %} +{% endfor %} + +{% if polkitusers.value != '' %} +users_{{ users.polkit_dir }}/99salt-users-formula.conf: + file.managed: + - replace: True + - onlyif: 'test -d {{ users.polkit_dir }}' + - name: {{ users.polkit_dir }}/99salt-users-formula.conf + - contents: | + ######################################################################## + # File managed by Salt (users-formula). + # Your changes will be overwritten. + ######################################################################## + # + [Configuration] + AdminIdentities={{ users.polkit_defaults }}{{ polkitusers.value }} +{% else %} +users_{{ users.polkit_dir }}/99salt-users-formula.conf_delete: + file.absent: + - name: {{ users.polkit_dir }}/99salt-users-formula.conf +{% endif %} From 9eedbede7466be71de6fa39968bb15fef99eb19b Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Fri, 24 Aug 2018 14:20:43 +0200 Subject: [PATCH 2/4] fix polkit state include --- users/init.sls | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/users/init.sls b/users/init.sls index 8bcfbab..5a9a8d6 100644 --- a/users/init.sls +++ b/users/init.sls @@ -3,6 +3,7 @@ {% set used_sudo = [] %} {% set used_googleauth = [] %} {% set used_user_files = [] %} +{% set used_polkit = False %} {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} @@ -18,9 +19,12 @@ {%- if salt['pillar.get']('users:' ~ name ~ ':user_files:enabled', False) %} {%- do used_user_files.append(1) %} {%- endif %} +{%- if user.get('polkitadmin', False) == True %} +{%- set used_polkit = True %} +{%- endif %} {%- endfor %} -{%- if used_sudo or used_googleauth or used_user_files %} +{%- if used_sudo or used_googleauth or used_user_files or used_polkit %} include: {%- if used_sudo %} - users.sudo @@ -31,8 +35,10 @@ include: {%- if used_user_files %} - users.user_files {%- endif %} -{%- endif %} +{%- if used_polkit %} - users.polkit +{%- endif %} +{%- endif %} {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} From 0e93ebccdb857c5860c89cfaa3d0f0c45fc77b11 Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Fri, 24 Aug 2018 14:25:35 +0200 Subject: [PATCH 3/4] use do to update dict --- users/polkit.sls | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/users/polkit.sls b/users/polkit.sls index df959bc..fd8a5ed 100644 --- a/users/polkit.sls +++ b/users/polkit.sls @@ -5,8 +5,7 @@ {% for name, user in pillar.get('users', {}).items() %} {% if user.absent is not defined or not user.absent %} {% if 'polkitadmin' in user and user['polkitadmin'] %} - {% if polkitusers.update({'value': polkitusers.value + 'unix-user:' + name + ';'}) %} - {% endif %} + {% do polkitusers.update({'value': polkitusers.value + 'unix-user:' + name + ';'}) %} {% endif %} {% endif %} {% endfor %} From b84e79bd3168fa51b9ec414000ee1200d6f7c905 Mon Sep 17 00:00:00 2001 From: Maximilian Zettler Date: Sat, 29 Sep 2018 13:15:56 +0200 Subject: [PATCH 4/4] fix used_polkit --- users/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/users/init.sls b/users/init.sls index 5a9a8d6..b873e04 100644 --- a/users/init.sls +++ b/users/init.sls @@ -3,7 +3,7 @@ {% set used_sudo = [] %} {% set used_googleauth = [] %} {% set used_user_files = [] %} -{% set used_polkit = False %} +{% set used_polkit = [] %} {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} @@ -20,7 +20,7 @@ {%- do used_user_files.append(1) %} {%- endif %} {%- if user.get('polkitadmin', False) == True %} -{%- set used_polkit = True %} +{%- do used_polkit.append(1) %} {%- endif %} {%- endfor %}