Merging upstream version 9.4.0+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-18 05:52:35 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-18 05:52:35 +0000
commit: 7fec0b69a082aaeec72fee0612766aa42f6b1b4d (patch)
tree: efb569b86ca4da888717f5433e757145fa322e08 /ansible_collections/community/general/plugins/modules/sudoers.py
parent: Releasing progress-linux version 7.7.0+dfsg-3~progress7.99u1. (diff)
download: ansible-7fec0b69a082aaeec72fee0612766aa42f6b1b4d.tar.xz
ansible-7fec0b69a082aaeec72fee0612766aa42f6b1b4d.zip
1 files changed, 29 insertions, 7 deletions
diff --git a/ansible_collections/community/general/plugins/modules/sudoers.py b/ansible_collections/community/general/plugins/modules/sudoers.py
index fd8289b1c..a392b4adf 100644
--- a/ansible_collections/community/general/plugins/modules/sudoers.py
+++ b/ansible_collections/community/general/plugins/modules/sudoers.py
@@ -31,13 +31,13 @@ options:
     description:
       - The commands allowed by the sudoers rule.
       - Multiple can be added by passing a list of commands.
-      - Use C(ALL) for all commands.
+      - Use V(ALL) for all commands.
     type: list
     elements: str
   group:
     description:
       - The name of the group for the sudoers rule.
-      - This option cannot be used in conjunction with I(user).
+      - This option cannot be used in conjunction with O(user).
     type: str
   name:
     required: true
@@ -45,6 +45,12 @@ options:
       - The name of the sudoers rule.
       - This will be used for the filename for the sudoers file managed by this rule.
     type: str
+  noexec:
+    description:
+      - Whether a command is prevented to run further commands itself.
+    default: false
+    type: bool
+    version_added: 8.4.0
   nopassword:
     description:
       - Whether a password will be required to run the sudo'd command.
@@ -83,13 +89,13 @@ options:
   user:
     description:
       - The name of the user for the sudoers rule.
-      - This option cannot be used in conjunction with I(group).
+      - This option cannot be used in conjunction with O(group).
     type: str
   validation:
     description:
-      - If C(absent), the sudoers rule will be added without validation.
-      - If C(detect) and visudo is available, then the sudoers rule will be validated by visudo.
-      - If C(required), visudo must be available to validate the sudoers rule.
+      - If V(absent), the sudoers rule will be added without validation.
+      - If V(detect) and visudo is available, then the sudoers rule will be validated by visudo.
+      - If V(required), visudo must be available to validate the sudoers rule.
     type: str
     default: detect
     choices: [ absent, detect, required ]
@@ -143,6 +149,15 @@ EXAMPLES = '''
     user: alice
     commands: /usr/local/bin/upload
     setenv: true
+
+- name: >-
+    Allow alice to sudo /usr/bin/less but prevent less from
+    running further commands itself
+  community.general.sudoers:
+    name: allow-alice-restricted-less
+    user: alice
+    commands: /usr/bin/less
+    noexec: true
 '''
 
 import os
@@ -162,6 +177,7 @@ class Sudoers(object):
         self.user = module.params['user']
         self.group = module.params['group']
         self.state = module.params['state']
+        self.noexec = module.params['noexec']
         self.nopassword = module.params['nopassword']
         self.setenv = module.params['setenv']
         self.host = module.params['host']
@@ -205,13 +221,15 @@ class Sudoers(object):
             owner = '%{group}'.format(group=self.group)
 
         commands_str = ', '.join(self.commands)
+        noexec_str = 'NOEXEC:' if self.noexec else ''
         nopasswd_str = 'NOPASSWD:' if self.nopassword else ''
         setenv_str = 'SETENV:' if self.setenv else ''
         runas_str = '({runas})'.format(runas=self.runas) if self.runas is not None else ''
-        return "{owner} {host}={runas}{nopasswd}{setenv} {commands}\n".format(
+        return "{owner} {host}={runas}{noexec}{nopasswd}{setenv} {commands}\n".format(
             owner=owner,
             host=self.host,
             runas=runas_str,
+            noexec=noexec_str,
             nopasswd=nopasswd_str,
             setenv=setenv_str,
             commands=commands_str
@@ -258,6 +276,10 @@ def main():
         'name': {
             'required': True,
         },
+        'noexec': {
+            'type': 'bool',
+            'default': False,
+        },
         'nopassword': {
             'type': 'bool',
             'default': True,
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-18 05:52:35 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-18 05:52:35 +0000
commit	7fec0b69a082aaeec72fee0612766aa42f6b1b4d (patch)
tree	efb569b86ca4da888717f5433e757145fa322e08 /ansible_collections/community/general/plugins/modules/sudoers.py
parent	Releasing progress-linux version 7.7.0+dfsg-3~progress7.99u1. (diff)
download	ansible-7fec0b69a082aaeec72fee0612766aa42f6b1b4d.tar.xz ansible-7fec0b69a082aaeec72fee0612766aa42f6b1b4d.zip