diff options
| author | Jacob Bednarz <jacob.bednarz@gmail.com> | 2018-06-19 16:04:17 -0600 |
|---|---|---|
| committer | Chad Smith <chad.smith@canonical.com> | 2018-06-19 16:04:17 -0600 |
| commit | 4d69fb44a5607e16843537be26758893f2dd79be (patch) | |
| tree | b30aba78a37957245a4ac1d368efb1181096933d /doc/examples/cloud-config-user-groups.txt | |
| parent | 4ce6720104ec92d8d7c5aa993bf7ec405a2f53db (diff) | |
| download | vyos-cloud-init-4d69fb44a5607e16843537be26758893f2dd79be.tar.gz vyos-cloud-init-4d69fb44a5607e16843537be26758893f2dd79be.zip | |
Explicitly prevent `sudo` access for user module
To deny a user elevated access, you can omit the `sudo` key from the
`users` dictionary. This works fine however it's implicitly defined
based on defaults of `cloud-init`. If the project moves to have `sudo`
access allowed for all by default (quite unlikely but still possible)
this will catch a few people out.
This introduces the ability to define an explicit `sudo: False` in the
`users` dictionary and it will prevent `sudo` access. The behaviour is
identical to omitting the key.
LP: #1771468
Diffstat (limited to 'doc/examples/cloud-config-user-groups.txt')
| -rw-r--r-- | doc/examples/cloud-config-user-groups.txt | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/doc/examples/cloud-config-user-groups.txt b/doc/examples/cloud-config-user-groups.txt index 7bca24a3..01ecad7b 100644 --- a/doc/examples/cloud-config-user-groups.txt +++ b/doc/examples/cloud-config-user-groups.txt @@ -30,6 +30,11 @@ users: gecos: Magic Cloud App Daemon User inactive: true system: true + - name: fizzbuzz + sudo: False + ssh_authorized_keys: + - <ssh pub key 1> + - <ssh pub key 2> - snapuser: joe@joeuser.io # Valid Values: @@ -71,13 +76,21 @@ users: # no_log_init: When set to true, do not initialize lastlog and faillog database. # ssh_import_id: Optional. Import SSH ids # ssh_authorized_keys: Optional. [list] Add keys to user's authorized keys file -# sudo: Defaults to none. Set to the sudo string you want to use, i.e. -# ALL=(ALL) NOPASSWD:ALL. To add multiple rules, use the following -# format. -# sudo: -# - ALL=(ALL) NOPASSWD:/bin/mysql -# - ALL=(ALL) ALL -# Note: Please double check your syntax and make sure it is valid. +# sudo: Defaults to none. Accepts a sudo rule string, a list of sudo rule +# strings or False to explicitly deny sudo usage. Examples: +# +# Allow a user unrestricted sudo access. +# sudo: ALL=(ALL) NOPASSWD:ALL +# +# Adding multiple sudo rule strings. +# sudo: +# - ALL=(ALL) NOPASSWD:/bin/mysql +# - ALL=(ALL) ALL +# +# Prevent sudo access for a user. +# sudo: False +# +# Note: Please double check your syntax and make sure it is valid. # cloud-init does not parse/check the syntax of the sudo # directive. # system: Create the user as a system user. This means no home directory. |