#59: edora-cloud-base-vagrant image has incorrect sudo privs
-----------------------------+---------------------
Reporter: semyers | Owner: kanarip
Type: defect | Status: new
Priority: major | Milestone:
Component: kickstart pool | Keywords: vagrant
Blocked By: | Blocking:
-----------------------------+---------------------
= bug description =
The fedora-cloud-base-vagrant image does not have the vagrant-recommended
sudo privileges.
The vagrant user is granted "ALL=NOPASSWD: ALL", but should be granted
"vagrant ALL=(ALL) NOPASSWD: ALL"
= bug analysis =
In [
https://git.fedorahosted.org/cgit/spin-kickstarts.git/tree/fedora-
cloud-base-vagrant.ks?id=6b42371f723437214404c37366e7784004e12dc3#n45 the
current state], the vagrant user cannot act as other users with sudo.
Given passwordless sudo, the vagrant user easily has the ability to gain
this functionality (this is my current workaround), so it should probably
be the default anyway.
Without the "(ALL)" in the sudoers line:
{{{
[vagrant@dev ~]$ sudo -u nobody ls /
[sudo] password for vagrant:
Sorry, user vagrant is not allowed to execute '/bin/ls /' as nobody on
dev.
}}}
With the "(ALL)" in the sudoers line:
{{{
[vagrant@dev ~]$ sudo -u nobody ls /
bin boot dev etc home lib lib64 lost+found media mnt opt proc
root run sbin srv sys tmp usr vagrant var
}}}
= fix recommendation =
In the fedora-cloud-base-vagrant kickstart, replace
{{{
echo 'vagrant ALL=NOPASSWD: ALL' > /etc/sudoers.d/vagrant-nopasswd
}}}
with
{{{
echo 'vagrant ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/vagrant-nopasswd
}}}
As described in the vagrant docs, under "Password-less sudo":
https://docs.vagrantup.com/v2/boxes/base.html
--
Ticket URL: <
https://fedorahosted.org/spin-kickstarts/ticket/59>
spin-kickstarts <
https://fedorahosted.org/spin-kickstarts/>
Kickstarts that the Spin SIG reviews, tests, maintains and releases (as a package).