security stuff

[automated-distro-installer] / fai / config / distro-install-common / end

diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end
index 0204ce50025bd3312267c7bed58c2382c17413a2..57b71159f62352228b8f53f28fb0b3ae89e138f8 100755 (executable)
--- a/fai/config/distro-install-common/end
+++ b/fai/config/distro-install-common/end
@@ -80,10 +80,31 @@ echo "fs.inotify.max_user_watches = 50000" >> $f
 # applies it. it would be also be applied after a reboot
 $ROOTCMD sysctl --system
 
+cat >$target/etc/sudoers.d/ianksudoers <<'EOF'
+Defaults timestamp_timeout=1440
+# used in bashrc
+Defaults  env_keep += SUDOD
+# always_set_home
+# makes ubuntu be like debian
+# https://unix.stackexchange.com/a/91572
+Defaults always_set_home
+# umask: default setting is to have  minimum umask of 0022
+# This lets us have user-specific umasks which are more permissive.
+# I did this for transmission and set it's umask gecos on install,
+# see there for more info.
+Defaults !umask
+# i use sudo in cronjobs, it spams the logs rather uselessly
+# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands
+Defaults:root,iank !log_allowed, !pam_session
+# for just the root user, set some env vars
+Defaults>root env_file=/etc/rootsudoenv
+EOF
+
+# remove old config line. can be removed eventually.
 f=$target/etc/sudoers
 line='iank  ALL=(ALL)  NOPASSWD: ALL'
-if [[ ! -e $f ]] || ! grep -xF "$line" $f; then
-  echo "$line" >> $f
+if grep -qxF "$line" $f; then
+  sed -i "/^$line/d" $f
 fi