diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index 55bc01701..834b264f4 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -37,32 +37,32 @@ failed_when: False # Hides red errors (stronger than 'ignore_errors: yes') -- name: Edit the sudoers file -- first make it editable (0640) +- name: Temporarily make file /etc/sudoers editable (0640) file: path: /etc/sudoers mode: 0640 -- name: Have sudo log all commands it handles +- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log' lineinfile: + path: /etc/sudoers regexp: logfile line: "Defaults logfile = /var/log/sudo.log" - dest: /etc/sudoers - state: present #- name: Lets {{ iiab_admin_user }} sudo without password ##- name: Lets wheel sudo without password # lineinfile: +# path: /etc/sudoers # line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL" ## line: "%wheel ALL= NOPASSWD: ALL" -# dest: /etc/sudoers -- name: Remove the line which requires tty - lineinfile: - regexp: requiretty - dest: /etc/sudoers - state: absent +# Not nec (heavyhanded removal of customizations+comments) given sudo defaults. +#- name: Remove all lines that contain 'requiretty' +# lineinfile: +# path: /etc/sudoers +# regexp: requiretty +# state: absent -- name: End editing the sudoers file -- protect it again (0440) +- name: End editing file /etc/sudoers -- protect it again (0440) file: path: /etc/sudoers mode: 0440