From 8a754e0858d922e955e71b253c139e071ecec432 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 18:04:21 +0200 Subject: Adding upstream version 2.14.3. Signed-off-by: Daniel Baumann --- .../become_unprivileged/setup_unpriv_users.yml | 109 +++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 test/integration/targets/become_unprivileged/setup_unpriv_users.yml (limited to 'test/integration/targets/become_unprivileged/setup_unpriv_users.yml') diff --git a/test/integration/targets/become_unprivileged/setup_unpriv_users.yml b/test/integration/targets/become_unprivileged/setup_unpriv_users.yml new file mode 100644 index 0000000..4f67741 --- /dev/null +++ b/test/integration/targets/become_unprivileged/setup_unpriv_users.yml @@ -0,0 +1,109 @@ +#################################################################### +# NOTE! Any destructive changes you make here... Undo them in +# cleanup_become_unprivileged so that they don't affect other tests. +#################################################################### +- name: Set up host and create unprivileged users + hosts: ssh + gather_facts: yes + remote_user: root + tasks: + - name: Create groups for unprivileged users + group: + name: "{{ item }}" + with_items: + - unpriv1 + - unpriv2 + + # MacOS requires unencrypted password + - name: Set password for unpriv1 (MacOSX) + set_fact: + password: 'iWishIWereCoolEnoughForRoot!' + when: ansible_distribution == 'MacOSX' + + - name: Set password for unpriv1 (everything else) + set_fact: + password: $6$CRuKRUfAoVwibjUI$1IEOISMFAE/a0VG73K9QsD0uruXNPLNkZ6xWg4Sk3kZIXwv6.YJLECzfNjn6pu8ay6XlVcj2dUvycLetL5Lgx1 + when: ansible_distribution != 'MacOSX' + + # This user is special. It gets a password so we can sudo as it + # (we set the sudo password in runme.sh) and it gets wheel so it can + # `become` unpriv2 without an overly complex sudoers file. + - name: Create first unprivileged user + user: + name: unpriv1 + group: unpriv1 + password: "{{ password }}" + + - name: Create second unprivileged user + user: + name: unpriv2 + group: unpriv2 + + - name: Special case group add for macOS + user: + name: unpriv1 + groups: com.apple.access_ssh + append: yes + when: ansible_distribution == 'MacOSX' + + - name: Create .ssh for unpriv1 + file: + path: ~unpriv1/.ssh + state: directory + owner: unpriv1 + group: unpriv1 + mode: 0700 + + - name: Set authorized key for unpriv1 + copy: + src: ~root/.ssh/authorized_keys + dest: ~unpriv1/.ssh/authorized_keys + remote_src: yes + owner: unpriv1 + group: unpriv1 + mode: 0600 + + # Without this we get: + # "Failed to connect to the host via ssh: "System is booting up. Unprivileged + # users are not permitted to log in yet. Please come back later." + - name: Nuke /run/nologin + file: + path: /run/nologin + state: absent + + - name: Fix sudoers.d path for FreeBSD + set_fact: + sudoers_etc: /usr/local/etc + when: ansible_distribution == 'FreeBSD' + + - name: Fix sudoers.d path for everything else + set_fact: + sudoers_etc: /etc + when: sudoers_etc is not defined + + - name: Set chown group for bsd and osx + set_fact: + chowngroup: wheel + when: ansible_distribution in ('FreeBSD', 'MacOSX') + + - name: Chown group for everything else + set_fact: + chowngroup: root + when: chowngroup is not defined + + - name: Make it so unpriv1 can sudo (Chapter 1) + copy: + dest: "{{ sudoers_etc }}/sudoers.d/unpriv1" + content: unpriv1 ALL=(ALL) ALL + owner: root + group: "{{ chowngroup }}" + mode: 0644 + + # OpenSUSE has a weird sudo default here and requires the root pw + # instead of the user pw. Undo that setting, we can clean it up later. + - name: Make it so unpriv1 can sudo (Chapter 2 - The Return Of the OpenSUSE) + lineinfile: + dest: "{{ sudoers_etc }}/sudoers" + regexp: '^Defaults targetpw' + line: '### Defaults targetpw' + backrefs: yes -- cgit v1.2.3