From: Peter Palfrader <peter@palfrader.org>
Date: Wed, 8 Apr 2009 08:31:31 +0000 (+0200)
Subject: klecker: a few rules for security folks to interact with dak and archvsync.  copied... 
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=0dcd08c0bf53f58ae31b28eebe6d6de63612f4b0;p=dsa-puppet.git

klecker: a few rules for security folks to interact with dak and archvsync.  copied over only one of 4 dak->archvsync rules - the rest looked long dead.  debwww may trigger webmirrors run
---

diff --git a/manifests/site.pp b/manifests/site.pp
index d5c3ad7e..0519f25d 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -45,7 +45,7 @@ node default {
 
     # test here first
     case $hostname {
-        handel,geo1,geo2,geo3,wieck,brahms,bartok,spohr,sperger,carver,rore,malo,peri,penalosa,praetorius,schein,villa,lobos,steffani,kassia,pergolesi,lafayette,rem,albeniz,goetz,smetana,allegri,puccini,ball,argento,arcadelt,dijkstra,schumann,caballero,voltaire,pescetti,mundy,agricola,goedel,lebrun,mayer,mayr,merulo,morales,murphy,paer,saens,schroeder,spontini,widor,zelenka,agnesi,piatti,powell,samosa,gluck,rietz,unger,tartini,mahler,raff,chopin,ravel,ries,master,merkel:    { include sudo }
+        handel,geo1,geo2,geo3,wieck,brahms,bartok,spohr,sperger,carver,rore,malo,peri,penalosa,praetorius,schein,villa,lobos,steffani,kassia,pergolesi,lafayette,rem,albeniz,goetz,smetana,allegri,puccini,ball,argento,arcadelt,dijkstra,schumann,caballero,voltaire,pescetti,mundy,agricola,goedel,lebrun,mayer,mayr,merulo,morales,murphy,paer,saens,schroeder,spontini,widor,zelenka,agnesi,piatti,powell,samosa,gluck,rietz,unger,tartini,mahler,raff,chopin,ravel,ries,master,merkel,klecker:    { include sudo }
         default:   {}
     }
 }
diff --git a/modules/sudo/files/common/sudoers b/modules/sudo/files/common/sudoers
index 11fce459..10e850bf 100644
--- a/modules/sudo/files/common/sudoers
+++ b/modules/sudo/files/common/sudoers
@@ -99,3 +99,10 @@ dak		ries=(archvsync)	NOPASSWD:/home/archvsync/runmirrors
 # dak stuff
 %debian-release	ries=(dak)		/usr/local/bin/dak transitions --import *
 %ftpteam	ries=(dak)		/usr/local/bin/dak transitions --import *
+# security
+%security	klecker=(dak)		NOPASSWD: /usr/local/bin/dak new-security-install -[AR] -- *
+%sec_public	klecker=(dak)		NOPASSWD: /usr/local/bin/dak new-security-install -[AR] -- *
+%sec_data	klecker=(archvsync)	NOPASSWD: /home/archvsync/security/signal ""
+dak		klecker=(archvsync)	NOPASSWD: /home/archvsync/signal_security
+# web stuff
+debwww		klecker=(archvsync)	NOPASSWD: /home/archvsync/webmirrors/runmirrors
diff --git a/modules/sudo/files/per-host/klecker.debian.org/sudoers b/modules/sudo/files/per-host/klecker.debian.org/sudoers
deleted file mode 100644
index a8bab5dd..00000000
--- a/modules/sudo/files/per-host/klecker.debian.org/sudoers
+++ /dev/null
@@ -1,52 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# /etc/sudoers
-#
-# This file MUST be edited with the 'visudo' command as root.
-#
-# See the man page for details on how to write a sudoers file.
-#
-
-# Host alias specification
-
-# User alias specification
-
-# Cmnd alias specification
-
-# User privilege specification
-root	ALL=(ALL) ALL
-jeroen	ALL=(ALL) ALL
-
-%adm	ALL=(ALL) ALL
-%adm    ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none
-
-# Security
-%security klecker=(dak) NOPASSWD:/usr/local/bin/dak new-security-install -[AR] -- *
-%sec_public klecker=(dak) NOPASSWD:/usr/local/bin/dak new-security-install -[AR] -- *
-%sec_data klecker=(archvsync) NOPASSWD: /home/archvsync/security/signal ""
-
-# ftpmaster
-%debadmin ALL=(root) NOPASSWD:/bin/su - dak, (dak) NOPASSWD: ALL
-dak	  ALL=(archvsync) NOPASSWD:/home/archvsync/runmirrors, NOPASSWD:/home/archvsync/rundebbugs, NOPASSWD:/home/archvsync/runpackageweb, NOPASSWD:/home/archvsync/signal_security
-
-# www-master
-debwww klecker=(archvsync) NOPASSWD:/home/archvsync/webmirrors/runmirrors
-# Updating the web pages
-%debwww ALL=(debwww) ALL
-
-%apachectrl     ALL=(root) /usr/sbin/apache2-vhost-update
-
-# mirroradm
-%mirroradm ALL=(archvsync) ALL
-
-nagios  ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe ""
-nagios  ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup ""
-nagios  ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show
-nagios  ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=0 pd all show
-nagios  ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=0 pd [0-9]\:[0-9] show
-nagios  ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=0 pd [0-9]I\:[0-9]\:[0-9] show
-nagios  ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=0 show status
-nagios  ALL=(ALL) NOPASSWD: /usr/sbin/samhain -t check --foreground -p err -s none -l none -m none