From f3bdae3a82668fba2da15419f37357d56a72b1e5 Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Fri, 6 Nov 2015 08:04:00 -0800
Subject: [PATCH] address sudo when debuild is installed

---
 manifests/sudo.pp                 | 4 ++++
 templates/sudo/etc/pam.d/sudo.erb | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/manifests/sudo.pp b/manifests/sudo.pp
index 0a2725f..41ad965 100644
--- a/manifests/sudo.pp
+++ b/manifests/sudo.pp
@@ -8,6 +8,9 @@
 # $timeout: how long (in minutes) between requiring a new Duo re-auth.
 # Default: 30
 #
+# $debuild: set this true if you need to set up a debuild environment.
+# Default: false
+#
 # Example.
 # To install sudo with no Duo support:
 #
@@ -35,6 +38,7 @@ class base::sudo(
   $duo         = false,
   $duo_sudoers = [],
   $timeout     = 30,
+  $debuild     = false,
 ){
   package { 'sudo':
     ensure => installed
diff --git a/templates/sudo/etc/pam.d/sudo.erb b/templates/sudo/etc/pam.d/sudo.erb
index 45b367d..c0d4bcb 100644
--- a/templates/sudo/etc/pam.d/sudo.erb
+++ b/templates/sudo/etc/pam.d/sudo.erb
@@ -14,3 +14,10 @@ account    include      common-auth
 password   include      common-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
+<%- if (@debuild) then -%>
+# Instead of including the stock common-session-noninteractive we
+# use parts of it, overriding minimum_uid for pam_afs_session
+# so that sudo will be able to get AFS tokens (helps with cowbuilder)
+session    optional     pam_krb5.so minimum_uid=1000
+session    optional     pam_afs_session.so minimum_uid=0
+<%- end -%>
-- 
GitLab