Merge remote-tracking branch 'waldi/sudo-archvsync-runmirrors'

* waldi/sudo-archvsync-runmirrors:
  Add comment to sudoers
  Allow sudo to runmirrors in the current location
  Make sudo set a special path for calls as archvsync user

diff --git a/modules/sudo/files/sudoers b/modules/sudo/files/sudoers
index be43b13..4284ff0 100644 (file)
--- a/modules/sudo/files/sudoers
+++ b/modules/sudo/files/sudoers
@@ -21,6 +21,10 @@ Defaults     env_reset
 Defaults       passprompt="[sudo] password for %u on %h: "
 Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
+# Find binaries to be executed as archvsync user also in it's home, so the
+# caller does not need to know.
+Defaults>archvsync secure_path="/home/archvsync/bin:/usr/local/bin:/usr/bin:/bin"
+
 # Host alias specification
 Host_Alias     VOIPHOSTS       = vogler
 Host_Alias     WEBHOSTS        = wolkenstein
@@ -239,7 +243,7 @@ letsencrypt denis=(dnsadm)                  NOPASSWD: /srv/dns.debian.org/bin/update
 %wbadm         BUILDD_MASTER=(wb-buildd)       ALL
 %wbadm         BUILDD_MASTER=(root)            /usr/local/bin/update-buildd-sshkeys
 # mirror push
-dak            FTPHOSTS,SECHOSTS=(archvsync)   NOPASSWD:/home/archvsync/runmirrors
+dak            FTPHOSTS,SECHOSTS=(archvsync)   NOPASSWD:/home/archvsync/runmirrors, /home/archvsync/bin/runmirrors
 # archvsync triggers snapshot
 archvsync      sibelius=(snapshot)     NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger
 archvsync      sibelius=(snapshot)     NOPASSWD: /srv/2ndsnapshot/bin/update-trigger