From 616753b16cd7a3d00716047d3e58581c6e37805a Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Wed, 20 Dec 2023 11:51:20 +0000
Subject: Prevent PATH hijacking attack with sudo

---
 roles/essential/tasks/sudo.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/roles/essential/tasks/sudo.yml b/roles/essential/tasks/sudo.yml
index 273b99a..e2d4861 100644
--- a/roles/essential/tasks/sudo.yml
+++ b/roles/essential/tasks/sudo.yml
@@ -14,3 +14,18 @@
     owner: root
     group: root
     mode: u+r,g+r,o-rwx
+
+- name: Use hard-coded PATH instead of the user's to find commands
+  ansible.builtin.lineinfile:
+    dest: /etc/sudoers
+    state: present
+    # Double quotes are important here if we want to break the line on multiple
+    # lines, as escaping doesn't work with single quotes.
+    regexp: "^(# )?Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\
+            /usr/sbin:/usr/bin:/sbin:/bin\""
+    line: "Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\
+           /usr/sbin:/usr/bin:/sbin:/bin\""
+    validate: "visudo -cf %s"
+    owner: root
+    group: root
+    mode: u+r,g+r,o-rwx
-- 
cgit v1.2.3-70-g09d2