projects
/
mirror
/
dsa-puppet.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Merge remote-tracking branch 'waldi-salsa/godard-apache' into HEAD
[mirror/dsa-puppet.git]
/
modules
/
sudo
/
files
/
sudoers
diff --git
a/modules/sudo/files/sudoers
b/modules/sudo/files/sudoers
index
cfcf4a7
..
bdf87ae
100644
(file)
--- a/
modules/sudo/files/sudoers
+++ b/
modules/sudo/files/sudoers
@@
-21,6
+21,10
@@
Defaults env_reset
Defaults passprompt="[sudo] password for %u on %h: "
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults passprompt="[sudo] password for %u on %h: "
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+# Find binaries to be executed as archvsync user also in its home, so the
+# caller does not need to know.
+Defaults>archvsync secure_path="/home/archvsync/bin:/usr/local/bin:/usr/bin:/bin"
+
# Host alias specification
Host_Alias VOIPHOSTS = vogler
Host_Alias WEBHOSTS = wolkenstein
# Host alias specification
Host_Alias VOIPHOSTS = vogler
Host_Alias WEBHOSTS = wolkenstein
@@
-31,11
+35,10
@@
Host_Alias AACRAIDHOSTS = pettersson
Host_Alias MEGARAIDHOSTS = sibelius
Host_Alias LISTHOSTS = bendel
Host_Alias BUILDD_MASTER = wuiet
Host_Alias MEGARAIDHOSTS = sibelius
Host_Alias LISTHOSTS = bendel
Host_Alias BUILDD_MASTER = wuiet
-Host_Alias PORTERBOXES = abel, amdahl,
asachi, barriere, eller, falla, fischer, harris, minkus, partch, plummer, pizzetti
, zelenka
+Host_Alias PORTERBOXES = abel, amdahl,
barriere, eller, harris, minkus, partch, plummer
, zelenka
Host_Alias PIUPARTS_SLAVE_HOSTS = piu-slave-bm-a, piu-slave-ubc-01
Host_Alias MQ_HOSTS = rainier, rapoport
Host_Alias JENKINSHOSTS = jerea
Host_Alias PIUPARTS_SLAVE_HOSTS = piu-slave-bm-a, piu-slave-ubc-01
Host_Alias MQ_HOSTS = rainier, rapoport
Host_Alias JENKINSHOSTS = jerea
-Host_Alias SIGNINGHOSTS = fasolo
# Cmnd alias specification
# Cmnd alias specification
@@
-51,14
+54,14
@@
root ALL=(ALL) ALL
%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL
# nagios
%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL
# nagios
-nagios ALL=(ALL) NOPASSWD: /bin/systemctl is-system-running
nagios MQ_HOSTS=(rabbitmq) NOPASSWD: /usr/sbin/rabbitmqctl list_queues -p dsa name messages consumers
nagios ALL=(ALL) NOPASSWD: /usr/sbin/service ekeyd-egd-linux restart
nagios ALL=(ALL) NOPASSWD: /usr/sbin/service samhain restart
nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup ""
nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-filesystems ""
nagios MQ_HOSTS=(rabbitmq) NOPASSWD: /usr/sbin/rabbitmqctl list_queues -p dsa name messages consumers
nagios ALL=(ALL) NOPASSWD: /usr/sbin/service ekeyd-egd-linux restart
nagios ALL=(ALL) NOPASSWD: /usr/sbin/service samhain restart
nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup ""
nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-filesystems ""
-nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-libs
""
+nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-libs
--ignore-younger=1h
nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-stunnel-sanity ""
nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-stunnel-sanity ""
+nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-systemd-services ""
nagios handel=(puppet) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-cert-expire /var/lib/puppet/ssl/certs/ca.pem
# with smartarray controllers
nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli ""
nagios handel=(puppet) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-cert-expire /var/lib/puppet/ssl/certs/ca.pem
# with smartarray controllers
nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli ""
@@
-127,7
+130,8
@@
nagios storace=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg
%forums ALL=(forums) ALL
%gitdoadm ALL=(gitdoadm) ALL
# the git user also exists on adayevskaya where it's a different service..
%forums ALL=(forums) ALL
%gitdoadm ALL=(gitdoadm) ALL
# the git user also exists on adayevskaya where it's a different service..
-%gitdoadm godard=(git) ALL
+%gitdoadm godard=(git) ALL
+%gitdoadm godard=(salsa-webhook) ALL
%keyring ALL=(keyring) ALL
%jenkins-adm ALL=(jenkins-adm) ALL
%lintian ALL=(lintian) ALL
%keyring ALL=(keyring) ALL
%jenkins-adm ALL=(jenkins-adm) ALL
%lintian ALL=(lintian) ALL
@@
-172,8
+176,6
@@
nagios storace=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg
dak ALL=(dak-unpriv) NOPASSWD: ALL
# and ftpmaster can access the role user for their web services
%debadmin FTPHOSTS=(dak-web) ALL
dak ALL=(dak-unpriv) NOPASSWD: ALL
# and ftpmaster can access the role user for their web services
%debadmin FTPHOSTS=(dak-web) ALL
-# the dak user gets to sign stuff
-dak SIGNINGHOSTS=(codesign) /usr/local/bin/secure-boot-code-sign
# some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost
%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update
# some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost
%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update
@@
-187,6
+189,7
@@
buildd ALL=(ALL) NOPASSWD: ALL
%backports FTPHOSTS,coccia=(staticsync) NOPASSWD: /usr/local/bin/static-update-component backports.debian.org
%bootstrap boott=(staticsync) NOPASSWD: /usr/local/bin/static-update-component bootstrap.debian.net
d-i dillon=(staticsync) NOPASSWD: /usr/local/bin/static-update-component d-i.debian.org
%backports FTPHOSTS,coccia=(staticsync) NOPASSWD: /usr/local/bin/static-update-component backports.debian.org
%bootstrap boott=(staticsync) NOPASSWD: /usr/local/bin/static-update-component bootstrap.debian.net
d-i dillon=(staticsync) NOPASSWD: /usr/local/bin/static-update-component d-i.debian.org
+debian-cd casulana=(staticsync) NOPASSWD: /usr/local/bin/static-update-component cdbuilder-logs.debian.org
lucas dillon=(staticsync) NOPASSWD: /usr/local/bin/static-update-component debaday.debian.net
dsa dillon=(staticsync) NOPASSWD: /usr/local/bin/static-update-component dsa.debian.org
dak FTPHOSTS=(staticsync) NOPASSWD: /usr/local/bin/static-update-component incoming.debian.org
lucas dillon=(staticsync) NOPASSWD: /usr/local/bin/static-update-component debaday.debian.net
dsa dillon=(staticsync) NOPASSWD: /usr/local/bin/static-update-component dsa.debian.org
dak FTPHOSTS=(staticsync) NOPASSWD: /usr/local/bin/static-update-component incoming.debian.org
@@
-234,12
+237,11
@@
piupartss PIUPARTS_SLAVE_HOSTS=(ALL) NOPASSWD: ALL
# trigger of mirror run for packages
dnsadm denis=(root) NOPASSWD: /usr/sbin/service bind9 reload
letsencrypt denis=(dnsadm) NOPASSWD: /srv/dns.debian.org/bin/update
# trigger of mirror run for packages
dnsadm denis=(root) NOPASSWD: /usr/sbin/service bind9 reload
letsencrypt denis=(dnsadm) NOPASSWD: /srv/dns.debian.org/bin/update
-%adm draghi=(puppet) NOPASSWD: /usr/bin/make -s -C /srv/db.debian.org/var/gitnagios/dsa-nagios/config install
# wbadm can update all buildd* users' keys on buildd.d.o
%wbadm BUILDD_MASTER=(wb-buildd) ALL
%wbadm BUILDD_MASTER=(root) /usr/local/bin/update-buildd-sshkeys
# mirror push
# wbadm can update all buildd* users' keys on buildd.d.o
%wbadm BUILDD_MASTER=(wb-buildd) ALL
%wbadm BUILDD_MASTER=(root) /usr/local/bin/update-buildd-sshkeys
# mirror push
-dak FTPHOSTS,SECHOSTS=(archvsync) NOPASSWD:/home/archvsync/runmirrors
+dak FTPHOSTS,SECHOSTS=(archvsync) NOPASSWD:/home/archvsync/runmirrors
, /home/archvsync/bin/runmirrors
# archvsync triggers snapshot
archvsync sibelius=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger
archvsync sibelius=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger
# archvsync triggers snapshot
archvsync sibelius=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger
archvsync sibelius=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger
@@
-262,7
+264,8
@@
debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors
%list LISTHOSTS=(postfix) /usr/sbin/postcat
%list LISTHOSTS=(root) /usr/sbin/postfix reload
%list LISTHOSTS=(root) /usr/sbin/qshape, /usr/sbin/postsuper
%list LISTHOSTS=(postfix) /usr/sbin/postcat
%list LISTHOSTS=(root) /usr/sbin/postfix reload
%list LISTHOSTS=(root) /usr/sbin/qshape, /usr/sbin/postsuper
-%list LISTHOSTS=(root) /etc/init.d/spamassassin, /etc/init.d/amavis
+%list LISTHOSTS=(root) /usr/sbin/service spamassassin restart, /usr/sbin/service spamassassin reload, /usr/sbin/service spamassassin stop, /usr/sbin/service spamassassin start
+%list LISTHOSTS=(root) /usr/sbin/service amavis restart, /usr/sbin/service amavis reload, /usr/sbin/service amavis stop, /usr/sbin/service amavis start
%list LISTHOSTS=(amavis) NOPASSWD: /usr/bin/sa-learn
%list LISTHOSTS=(amavis) ALL
# geodns may reload bind
%list LISTHOSTS=(amavis) NOPASSWD: /usr/bin/sa-learn
%list LISTHOSTS=(amavis) ALL
# geodns may reload bind