diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/doas.conf | 3 | ||||
| -rw-r--r-- | etc/pam.d/sudo | 4 | ||||
| -rw-r--r-- | etc/sudoers-rs | 13 |
3 files changed, 17 insertions, 3 deletions
diff --git a/etc/doas.conf b/etc/doas.conf deleted file mode 100644 index fad7c3c..0000000 --- a/etc/doas.conf +++ /dev/null @@ -1,3 +0,0 @@ -permit persist setenv { PATH TERM LANG LC_ALL EDITOR DIFFPROG PAGER } :wheel -permit nopass :wheel as root cmd /usr/bin/poweroff -permit nopass :wheel as root cmd /usr/bin/reboot diff --git a/etc/pam.d/sudo b/etc/pam.d/sudo new file mode 100644 index 0000000..ab053c5 --- /dev/null +++ b/etc/pam.d/sudo @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +session include system-auth diff --git a/etc/sudoers-rs b/etc/sudoers-rs new file mode 100644 index 0000000..8326b8e --- /dev/null +++ b/etc/sudoers-rs @@ -0,0 +1,13 @@ +# Keep $EDITOR / $VISUAL when running visudo. +Defaults!/usr/bin/visudo-rs env_keep += "SUDO_EDITOR EDITOR VISUAL" +Defaults!/usr/local/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL" + +# Sanitize PATH for elevated commands. +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" + +# Root and the wheel group can run anything (after a password prompt). +root ALL=(ALL:ALL) ALL +%wheel ALL=(ALL:ALL) ALL + +# Passwordless poweroff/reboot (parity with the previous doas.conf). +%wheel ALL=(ALL) NOPASSWD: /usr/bin/poweroff, /usr/bin/reboot |