Optimized security with administrator user

2025-11-04 04:08:15 +00:00 · 2020-12-31 17:01:47 +01:00
parent 8d4878d299
commit 11deb714b9
5 changed files with 8 additions and 5 deletions
--- a/roles/native-sudo/templates/sudoers
+++ b/roles/native-sudo/templates/sudoers
@@ -85,7 +85,7 @@ root ALL=(ALL) ALL
 # %wheel ALL=(ALL) NOPASSWD: ALL
 ## Uncomment to allow members of group sudo to execute any command
-%sudo	ALL=(ALL) ALL
+# %sudo	ALL=(ALL) ALL
 ## Uncomment to allow any user to run sudo if they know the password
 ## of the user they are running the command as (root by default).
--- a/roles/native-user-administrator/Readme.md
+++ b/roles/native-user-administrator/Readme.md
@@ -1,4 +1,4 @@
 # Role Administrator
 This role creates an standard administrator user.
 This user needs to type in his password before executing sudo. 
 For security reasons it's recommended to use this user instead of the standard root user.
 Please consider the concerns in this article https://unix.stackexchange.com/questions/92123/rsync-all-files-of-remote-machine-over-ssh-without-root-user.  
--- a/roles/native-user-administrator/files/administrator.conf
+++ b/roles/native-user-administrator/files/administrator.conf
@@ -0,0 +1,2 @@
 Defaults targetpw
 administrator ALL=(ALL) ALL
--- a/roles/native-user-administrator/tasks/main.yml
+++ b/roles/native-user-administrator/tasks/main.yml
@@ -14,7 +14,7 @@
    group: administrator
    mode: '0644'
- name: grant administrator sudo rights without password
+- name: grant administrator sudo rights with password
  copy:
-    content: '%administrator ALL=(ALL) NOPASSWD: ALL'
+    src: "administrator.conf"
-    dest: /etc/sudoers.d/administrator
+    dest: /etc/sudoers.d/administrator.conf
--- a/roles/system-security/meta/main.yml
+++ b/roles/system-security/meta/main.yml
@@ -1,3 +1,4 @@
 dependencies:
 - native-ssh
 - native-user-alarm
 - native-user-administrator
		`@@ -0,0 +1,2 @@`
							`Defaults targetpw`
							`administrator ALL=(ALL) ALL`