diff options
Diffstat (limited to 'debian/etc')
-rw-r--r-- | debian/etc/pam.d/sudo | 8 | ||||
-rw-r--r-- | debian/etc/pam.d/sudo-i | 8 | ||||
-rw-r--r-- | debian/etc/sudoers | 54 | ||||
-rw-r--r-- | debian/etc/sudoers.d/README | 24 |
4 files changed, 94 insertions, 0 deletions
diff --git a/debian/etc/pam.d/sudo b/debian/etc/pam.d/sudo new file mode 100644 index 0000000..96e8906 --- /dev/null +++ b/debian/etc/pam.d/sudo @@ -0,0 +1,8 @@ +#%PAM-1.0 + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +@include common-auth +@include common-account +@include common-session-noninteractive diff --git a/debian/etc/pam.d/sudo-i b/debian/etc/pam.d/sudo-i new file mode 100644 index 0000000..d638522 --- /dev/null +++ b/debian/etc/pam.d/sudo-i @@ -0,0 +1,8 @@ +#%PAM-1.0 + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +@include common-auth +@include common-account +@include common-session diff --git a/debian/etc/sudoers b/debian/etc/sudoers new file mode 100644 index 0000000..b5da8e9 --- /dev/null +++ b/debian/etc/sudoers @@ -0,0 +1,54 @@ +# +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu +# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532) +Defaults use_pty + +# This preserves proxy settings from user environments of root +# equivalent users (group sudo) +#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy" + +# This allows running arbitrary commands, but so does ALL, and it means +# different sudoers have their choice of editor respected. +#Defaults:%sudo env_keep += "EDITOR" + +# Completely harmless preservation of a user preference. +#Defaults:%sudo env_keep += "GREP_COLOR" + +# While you shouldn't normally run git as root, you need to with etckeeper +#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*" + +# Per-user preferences; root won't have sensible values for them. +#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME" + +# "sudo scp" or "sudo rsync" should be able to use your SSH agent. +#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK" + +# Ditto for GPG agent +#Defaults:%sudo env_keep += "GPG_AGENT_INFO" + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL + +# See sudoers(5) for more information on "@include" directives: + +@includedir /etc/sudoers.d diff --git a/debian/etc/sudoers.d/README b/debian/etc/sudoers.d/README new file mode 100644 index 0000000..356d882 --- /dev/null +++ b/debian/etc/sudoers.d/README @@ -0,0 +1,24 @@ +# +# The default /etc/sudoers file created on installation of the +# sudo package now includes the directive: +# +# @includedir /etc/sudoers.d +# +# This will cause sudo to read and parse any files in the /etc/sudoers.d +# directory that do not end in '~' or contain a '.' character. +# +# Note that there must be at least one file in the sudoers.d directory (this +# one will do). +# +# Note also, that because sudoers contents can vary widely, no attempt is +# made to add this directive to existing sudoers files on upgrade. Feel free +# to add the above directive to the end of your /etc/sudoers file to enable +# this functionality for existing installations if you wish! Sudo +# versions older than the one in Debian 11 (bullseye) require the +# directive will only support the old syntax #includedir, and the current +# sudo will happily accept both @includedir and #includedir +# +# Finally, please note that using the visudo command is the recommended way +# to update sudoers content, since it protects against many failure modes. +# See the man page for visudo and sudoers for more information. +# |