stage(kickstart): implement sudo support for users setting

This commit adds support in the kickstart stage to have options like: ```json {"users": {"foo": {"sudo": {}}}} {"users": {"foo": {"sudo": {"nopasswd": true}}}} ``` Users with "sudo" will get added to the users that can run sudo via the `/etc/sudoers.d/{user}-ks` snippet. Kickstart does not have native support for sudo so this is implemented via a targeted `%post` script.
mvo5 · Nov 16, 2023 · 5883ca6 · 5883ca6
1 parent 7b201db
commit 5883ca6
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/stages/org.osbuild.kickstart b/stages/org.osbuild.kickstart
@@ -11,6 +11,7 @@ commands are supported here.
 """
 
 import os
+import shlex
 import sys
 from typing import Dict, List
 
@@ -115,6 +116,17 @@ SCHEMA = r"""
           "key": {
             "description": "SSH Public Key to add to ~/.ssh/authorized_keys",
             "type": "string"
+          },
+          "sudo": {
+            "description": "Configure sudo for the given user",
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "nopasswd": {
+                "description": "Allow use of sudo without a password",
+                "type": "boolean"
+              }
+            }
           }
         }
       }
@@ -325,6 +337,13 @@ def make_users(users: Dict) -> List[str]:
         if key:
             res.append(f'sshkey --username {name} "{key}"')
 
+        sudo = opts.get("sudo")
+        if sudo is not None:
+            # the schema makes this unnecessary but paranoia++
+            name = shlex.quote(name)
+            nopasswd = "NOPASSWD" if sudo.get("nopasswd", False) else ""
+            res.append(f'%post\nprintf "{name}\tALL=(ALL)\t{nopasswd}: ALL\n" >> /etc/sudoers.d/{name}-ks')
+
     return res
 
 

diff --git a/stages/test/test_kickstart.py b/stages/test/test_kickstart.py
@@ -10,6 +10,9 @@
 from osbuild.testutil.imports import import_module_from_path
 
 TEST_INPUT = [
+    ({"users": {"foo": {}}}, "user --name foo"),
+    ({"users": {"foo": {"sudo": {}}}}, 'user --name foo\n%post\nprintf "foo\tALL=(ALL)\t: ALL\n" >> /etc/sudoers.d/foo-ks'),
+    ({"users": {"foo": {"sudo": {"nopasswd": True}}}}, 'user --name foo\n%post\nprintf "foo\tALL=(ALL)\tNOPASSWD: ALL\n" >> /etc/sudoers.d/foo-ks'),
     ({"lang": "en_US.UTF-8"}, "lang en_US.UTF-8"),
     ({"keyboard": "us"}, "keyboard us"),
     ({"timezone": "UTC"}, "timezone UTC"),