diff options
| author | Dmitry Ilvokhin <d@ilvokhin.com> | 2023-12-20 11:51:20 +0000 |
|---|---|---|
| committer | Dmitry Ilvokhin <d@ilvokhin.com> | 2023-12-20 11:51:20 +0000 |
| commit | 616753b16cd7a3d00716047d3e58581c6e37805a (patch) | |
| tree | 61c2bcada80ec0427b8c0200af382a1013cc48df | |
| parent | 2a59032badaefc7b7dc86ef18cf5a26b04cac4c1 (diff) | |
| download | infra-616753b16cd7a3d00716047d3e58581c6e37805a.tar.gz infra-616753b16cd7a3d00716047d3e58581c6e37805a.tar.bz2 infra-616753b16cd7a3d00716047d3e58581c6e37805a.zip | |
Prevent PATH hijacking attack with sudo
| -rw-r--r-- | roles/essential/tasks/sudo.yml | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/roles/essential/tasks/sudo.yml b/roles/essential/tasks/sudo.yml index 273b99a..e2d4861 100644 --- a/roles/essential/tasks/sudo.yml +++ b/roles/essential/tasks/sudo.yml @@ -14,3 +14,18 @@ owner: root group: root mode: u+r,g+r,o-rwx + +- name: Use hard-coded PATH instead of the user's to find commands + ansible.builtin.lineinfile: + dest: /etc/sudoers + state: present + # Double quotes are important here if we want to break the line on multiple + # lines, as escaping doesn't work with single quotes. + regexp: "^(# )?Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\ + /usr/sbin:/usr/bin:/sbin:/bin\"" + line: "Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\ + /usr/sbin:/usr/bin:/sbin:/bin\"" + validate: "visudo -cf %s" + owner: root + group: root + mode: u+r,g+r,o-rwx |