Optimized security with administrator user

2024-09-20 00:13:09 +02:00 · 2020-12-31 17:01:47 +01:00 · 2020-12-31 17:01:47 +01:00 · 11deb714b9
commit 11deb714b9
parent 8d4878d299
5 changed files with 8 additions and 5 deletions
--- a/roles/native-sudo/templates/sudoers
+++ b/roles/native-sudo/templates/sudoers
@ -85,7 +85,7 @@ root ALL=(ALL) ALL
 # %wheel ALL=(ALL) NOPASSWD: ALL

 ## Uncomment to allow members of group sudo to execute any command
-%sudo	ALL=(ALL) ALL
+# %sudo	ALL=(ALL) ALL

 ## Uncomment to allow any user to run sudo if they know the password
 ## of the user they are running the command as (root by default).
--- a/roles/native-user-administrator/Readme.md
+++ b/roles/native-user-administrator/Readme.md
@ -1,4 +1,4 @@
 # Role Administrator
 This role creates an standard administrator user.
+This user needs to type in his password before executing sudo. 
 For security reasons it's recommended to use this user instead of the standard root user.
-Please consider the concerns in this article https://unix.stackexchange.com/questions/92123/rsync-all-files-of-remote-machine-over-ssh-without-root-user.  
--- a/roles/native-user-administrator/files/administrator.conf
+++ b/roles/native-user-administrator/files/administrator.conf
@ -0,0 +1,2 @@
+Defaults targetpw
+administrator ALL=(ALL) ALL
--- a/roles/native-user-administrator/tasks/main.yml
+++ b/roles/native-user-administrator/tasks/main.yml
@ -14,7 +14,7 @@
    group: administrator
    mode: '0644'

- name: grant administrator sudo rights without password
+- name: grant administrator sudo rights with password
  copy:
-    content: '%administrator ALL=(ALL) NOPASSWD: ALL'
-    dest: /etc/sudoers.d/administrator
+    src: "administrator.conf"
+    dest: /etc/sudoers.d/administrator.conf
--- a/roles/system-security/meta/main.yml
+++ b/roles/system-security/meta/main.yml
@ -1,3 +1,4 @@
 dependencies:
 - native-ssh
 - native-user-alarm
+- native-user-administrator