[MediaWiki-commits] [Gerrit] sudo journalctl: make missing restrictions obvious - change (operations/puppet)

Dzahn (Code Review) Mon, 23 Nov 2015 17:54:33 -0800

Dzahn has submitted this change and it was merged.

Change subject: sudo journalctl: make missing restrictions obvious
......................................................................



sudo journalctl: make missing restrictions obvious

sudoers command argument wildcard '*' does not restrict anthing. journalctl
allows multiple -u arguments, thus this does not restrict invoking journalctl
on one unit.

Bug: T115067
Change-Id: I941fd1f797c3b57fb97fdfbf1c9cd27ece0e9daa
---
M modules/admin/data/data.yaml
1 file changed, 2 insertions(+), 3 deletions(-)

Approvals:
  jenkins-bot: Verified
  Dzahn: Looks good to me, approved



diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index 80c28cd..428d59a 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -359,7 +359,7 @@
                  'ALL = NOPASSWD: /bin/systemctl mask kartotherian.service',
                  'ALL = NOPASSWD: /bin/systemctl unmask kartotherian.service',
                  'ALL = (kartotherian) NOPASSWD: ALL',
-                 'ALL = NOPASSWD: /bin/journalctl -u kartotherian *']
+                 'ALL = NOPASSWD: /bin/journalctl *']
   wdqs-admins:
     gid: 755
     description: Admins for the WikiData Query Service project
@@ -383,12 +383,11 @@
                  'ALL = NOPASSWD: /bin/systemctl mask tilerator.service',
                  'ALL = NOPASSWD: /bin/systemctl unmask tilerator.service',
                  'ALL = (tilerator) NOPASSWD: ALL',
-                 'ALL = NOPASSWD: /bin/journalctl -u tilerator *',
                  'ALL = NOPASSWD: /usr/sbin/service tileratorui *',
                  'ALL = NOPASSWD: /bin/systemctl mask tileratorui.service',
                  'ALL = NOPASSWD: /bin/systemctl unmask tileratorui.service',
                  'ALL = (tileratorui) NOPASSWD: ALL',
-                 'ALL = NOPASSWD: /bin/journalctl -u tileratorui *']
+                 'ALL = NOPASSWD: /bin/journalctl *']
   mobileapps-admin:
     description: Group of mobileapps admins
     gid: 759

-- 
To view, visit https://gerrit.wikimedia.org/r/251714
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I941fd1f797c3b57fb97fdfbf1c9cd27ece0e9daa
Gerrit-PatchSet: 7
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: JanZerebecki <jan.wikime...@zerebecki.de>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] sudo journalctl: make missing restrictions obvious - change (operations/puppet)

Reply via email to