X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fsudo%2Ffiles%2Fsudoers;h=5b816ea720258f8773f78c7c0b38531ebf4be3a0;hb=e3d69adb01f1b4cb87e9d6479b46f760153d11be;hp=37d63c42ceecd7adf13c53121d66adf1b8dd1d18;hpb=62738f7ec0e6961210bee7a2c437f8e7cca8abcc;p=mirror%2Fdsa-puppet.git

diff --git a/modules/sudo/files/sudoers b/modules/sudo/files/sudoers
index 37d63c42c..5b816ea72 100644
--- a/modules/sudo/files/sudoers
+++ b/modules/sudo/files/sudoers
@@ -21,6 +21,10 @@ Defaults	env_reset
 Defaults	passprompt="[sudo] password for %u on %h: "
 Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
+# Find binaries to be executed as archvsync user also in its home, so the
+# caller does not need to know.
+Defaults>archvsync secure_path="/home/archvsync/bin:/usr/local/bin:/usr/bin:/bin"
+
 # Host alias specification
 Host_Alias	VOIPHOSTS	= vogler
 Host_Alias	WEBHOSTS	= wolkenstein
@@ -35,7 +39,6 @@ Host_Alias	PORTERBOXES	= abel, amdahl, asachi, barriere, eller, falla, fischer,
 Host_Alias	PIUPARTS_SLAVE_HOSTS	= piu-slave-bm-a, piu-slave-ubc-01
 Host_Alias	MQ_HOSTS	= rainier, rapoport
 Host_Alias	JENKINSHOSTS	= jerea
-Host_Alias	SIGNINGHOSTS	= fasolo
 
 # Cmnd alias specification
 
@@ -172,8 +175,6 @@ nagios		storace=(debbackup)	NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg
 dak		ALL=(dak-unpriv)	NOPASSWD: ALL
 # and ftpmaster can access the role user for their web services
 %debadmin	FTPHOSTS=(dak-web)	ALL
-# the dak user gets to sign stuff
-dak		SIGNINGHOSTS=(codesign)	/usr/local/bin/secure-boot-code-sign
 
 # some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost
 %apachectrl	ALL=(root)	/usr/sbin/apache2-vhost-update
@@ -239,7 +240,7 @@ letsencrypt	denis=(dnsadm)			NOPASSWD: /srv/dns.debian.org/bin/update
 %wbadm		BUILDD_MASTER=(wb-buildd)	ALL
 %wbadm		BUILDD_MASTER=(root)		/usr/local/bin/update-buildd-sshkeys
 # mirror push
-dak		FTPHOSTS,SECHOSTS=(archvsync)	NOPASSWD:/home/archvsync/runmirrors
+dak		FTPHOSTS,SECHOSTS=(archvsync)	NOPASSWD:/home/archvsync/runmirrors, /home/archvsync/bin/runmirrors
 # archvsync triggers snapshot
 archvsync	sibelius=(snapshot)	NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger
 archvsync	sibelius=(snapshot)	NOPASSWD: /srv/2ndsnapshot/bin/update-trigger
@@ -259,9 +260,11 @@ debwww		WEBHOSTS=(archvsync)	NOPASSWD: /home/archvsync/webmirrors/runmirrors
 %d-i		WEBHOSTS=(debwww)	/srv/www.debian.org/update-part devel/debian-installer
 %d-i		WEBHOSTS=(debwww)	/srv/www.debian.org/cron/lessoften-parts/1installation-guide
 # more list stuff
+%list		LISTHOSTS=(postfix)		/usr/sbin/postcat
 %list		LISTHOSTS=(root)		/usr/sbin/postfix reload
 %list		LISTHOSTS=(root)		/usr/sbin/qshape, /usr/sbin/postsuper
-%list		LISTHOSTS=(root)		/etc/init.d/spamassassin, /etc/init.d/amavis
+%list		LISTHOSTS=(root)		/usr/sbin/service spamassassin restart, /usr/sbin/service spamassassin reload, /usr/sbin/service spamassassin stop, /usr/sbin/service spamassassin start
+%list		LISTHOSTS=(root)		/usr/sbin/service amavis restart, /usr/sbin/service amavis reload, /usr/sbin/service amavis stop, /usr/sbin/service amavis start
 %list		LISTHOSTS=(amavis)		NOPASSWD: /usr/bin/sa-learn
 %list		LISTHOSTS=(amavis)		ALL
 # geodns may reload bind