nilrt-snac: configure sudo

require users to always enter their password when using sudo Signed-off-by: Alex Hearn <[email protected]>
ni · Sep 18, 2024 · a583b28 · a583b28
1 parent a444a10
commit a583b28
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/nilrt_snac/_configs/__init__.py b/nilrt_snac/_configs/__init__.py
@@ -8,6 +8,7 @@
 from nilrt_snac._configs._ntp_config import _NTPConfig
 from nilrt_snac._configs._opkg_config import _OPKGConfig
 from nilrt_snac._configs._pwquality_config import _PWQualityConfig
+from nilrt_snac._configs._sudo_config import _SudoConfig
 from nilrt_snac._configs._tmux_config import _TmuxConfig
 from nilrt_snac._configs._wifi_config import _WIFIConfig
 from nilrt_snac._configs._wireguard_config import _WireguardConfig
@@ -28,4 +29,5 @@
     _ConsoleConfig(),
     _TmuxConfig(),
     _PWQualityConfig(),
+    _SudoConfig(),
 ]
diff --git a/nilrt_snac/_configs/_sudo_config.py b/nilrt_snac/_configs/_sudo_config.py
@@ -0,0 +1,39 @@
+import argparse
+import textwrap
+
+from nilrt_snac._configs._base_config import _BaseConfig
+from nilrt_snac._configs._config_file import _ConfigFile
+
+from nilrt_snac import logger
+
+
+class _SudoConfig(_BaseConfig):
+    def __init__(self):
+        pass  # Nothing to do for now
+
+    def configure(self, args: argparse.Namespace) -> None:
+        print("Configuring sudo...")
+        config_file = _ConfigFile("/etc/sudoers.d/snac")
+        dry_run: bool = args.dry_run
+        if not config_file.exists():
+            config_file.add(
+                textwrap.dedent(
+                    """
+                    # NILRT SNAC configuration sudoers. Do not hand-edit.
+                    Defaults timestamp_timeout=0
+                    """
+                )
+            )
+        config_file.save(dry_run)
+
+    def verify(self, args: argparse.Namespace) -> bool:
+        print("Verifying sudo configuration...")
+        config_file = _ConfigFile("/etc/sudoers.d/snac")
+        valid = True
+        if not config_file.exists():
+            valid = False
+            logger.error(f"MISSING: {config_file.path} not found")
+        if not config_file.contains("Defaults timestamp_timeout=0"):
+            valid = False
+            logger.error("MISSING: immediate timestamp_timeout")
+        return valid