summaryrefslogtreecommitdiffstats
path: root/debian/etc
diff options
context:
space:
mode:
Diffstat (limited to 'debian/etc')
-rw-r--r--debian/etc/pam.d/sudo8
-rw-r--r--debian/etc/pam.d/sudo-i8
-rw-r--r--debian/etc/sudoers54
-rw-r--r--debian/etc/sudoers.d/README24
4 files changed, 94 insertions, 0 deletions
diff --git a/debian/etc/pam.d/sudo b/debian/etc/pam.d/sudo
new file mode 100644
index 0000000..96e8906
--- /dev/null
+++ b/debian/etc/pam.d/sudo
@@ -0,0 +1,8 @@
+#%PAM-1.0
+
+# Set up user limits from /etc/security/limits.conf.
+session required pam_limits.so
+
+@include common-auth
+@include common-account
+@include common-session-noninteractive
diff --git a/debian/etc/pam.d/sudo-i b/debian/etc/pam.d/sudo-i
new file mode 100644
index 0000000..d638522
--- /dev/null
+++ b/debian/etc/pam.d/sudo-i
@@ -0,0 +1,8 @@
+#%PAM-1.0
+
+# Set up user limits from /etc/security/limits.conf.
+session required pam_limits.so
+
+@include common-auth
+@include common-account
+@include common-session
diff --git a/debian/etc/sudoers b/debian/etc/sudoers
new file mode 100644
index 0000000..b5da8e9
--- /dev/null
+++ b/debian/etc/sudoers
@@ -0,0 +1,54 @@
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults env_reset
+Defaults mail_badpass
+Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
+# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
+Defaults use_pty
+
+# This preserves proxy settings from user environments of root
+# equivalent users (group sudo)
+#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
+
+# This allows running arbitrary commands, but so does ALL, and it means
+# different sudoers have their choice of editor respected.
+#Defaults:%sudo env_keep += "EDITOR"
+
+# Completely harmless preservation of a user preference.
+#Defaults:%sudo env_keep += "GREP_COLOR"
+
+# While you shouldn't normally run git as root, you need to with etckeeper
+#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
+
+# Per-user preferences; root won't have sensible values for them.
+#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
+
+# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
+#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
+
+# Ditto for GPG agent
+#Defaults:%sudo env_keep += "GPG_AGENT_INFO"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root ALL=(ALL:ALL) ALL
+
+# Allow members of group sudo to execute any command
+%sudo ALL=(ALL:ALL) ALL
+
+# See sudoers(5) for more information on "@include" directives:
+
+@includedir /etc/sudoers.d
diff --git a/debian/etc/sudoers.d/README b/debian/etc/sudoers.d/README
new file mode 100644
index 0000000..356d882
--- /dev/null
+++ b/debian/etc/sudoers.d/README
@@ -0,0 +1,24 @@
+#
+# The default /etc/sudoers file created on installation of the
+# sudo package now includes the directive:
+#
+# @includedir /etc/sudoers.d
+#
+# This will cause sudo to read and parse any files in the /etc/sudoers.d
+# directory that do not end in '~' or contain a '.' character.
+#
+# Note that there must be at least one file in the sudoers.d directory (this
+# one will do).
+#
+# Note also, that because sudoers contents can vary widely, no attempt is
+# made to add this directive to existing sudoers files on upgrade. Feel free
+# to add the above directive to the end of your /etc/sudoers file to enable
+# this functionality for existing installations if you wish! Sudo
+# versions older than the one in Debian 11 (bullseye) require the
+# directive will only support the old syntax #includedir, and the current
+# sudo will happily accept both @includedir and #includedir
+#
+# Finally, please note that using the visudo command is the recommended way
+# to update sudoers content, since it protects against many failure modes.
+# See the man page for visudo and sudoers for more information.
+#