diff --git a/files/etc/filter-syslog/pbuilder b/files/etc/filter-syslog/pbuilder new file mode 100644 index 0000000000000000000000000000000000000000..5a71775d91f12621c9dee2fbb0512e135496a643 --- /dev/null +++ b/files/etc/filter-syslog/pbuilder @@ -0,0 +1,9 @@ +# Syslog filter rules for a system building packages with pbuilder. + +# Running pbuilder via sudo. +sudo: /.* USER=root ; COMMAND=/usr/sbin/pbuilder .*/ +sudo: /.* USER=root ; COMMAND=/usr/sbin/cowbuilder .*/ +sudo: /^pam_unix\(sudo:session\): session (opened|closed) for user root/ + +# People doing builds out of AFS home directories. +kernel: /^\[\d+\.\d+\] afs: byte-range locks only enforced for processes on / diff --git a/files/etc/pam.d/sudo b/files/etc/pam.d/sudo new file mode 100644 index 0000000000000000000000000000000000000000..67b857b9bcf082a8972831e9a19adf59059f7bbf --- /dev/null +++ b/files/etc/pam.d/sudo @@ -0,0 +1,13 @@ +#%PAM-1.0 + +@include common-auth +@include common-account + +# @include common-session-noninteractive +# +# Instead of including the stock common-session-noninteractive we +# use parts of it, overriding minimum_uid for pam_afs_session +# so that sudo will be able to get AFS tokens (helps with cowbuilder) +session optional pam_krb5.so minimum_uid=1000 +session required pam_unix.so +session optional pam_afs_session.so minimum_uid=0 diff --git a/manifests/sudo.pp b/manifests/sudo.pp new file mode 100644 index 0000000000000000000000000000000000000000..56ea74e4d7bb16ef7790f78e45faf91ccac5e6bf --- /dev/null +++ b/manifests/sudo.pp @@ -0,0 +1,25 @@ +class su_debuld::sudo { + + ### SUDO ### + ensure_packages(['sudo'], {'ensure' => 'present'}) + + # Install a sudo configuration letting mortals run pdebuild. + file_line { 'sudo_rule_for_pdebuild': + path => '/etc/sudoers', + line => '%root ALL = NOPASSWD: /usr/sbin/cowbuilder', + } + + # Ignore the pbuilder sudos. + file { '/etc/filter-syslog/pbuilder': + source => 'puppet:///modules/su_debuild/etc/filter-syslog/pbuilder'; + } + + # To be able to run cowbuilder in AFS, we need to use a special version of + # /etc/pam.d/sudo. + file { + '/etc/pam.d/sudo': + source => 'puppet:///modules/su_debuild/etc/pam.d/sudo', + require => Package['sudo']; + } + +}