From 870e1898eb28039fafaaeb8e50a7039f626f912c Mon Sep 17 00:00:00 2001
From: Rafael da Fonseca <rsafonseca@gmail.com>
Date: Fri, 29 May 2015 22:10:39 +0200
Subject: [PATCH] Use same sudoers config for all distros Cleanup buggy code
 for sudoers file editing

Signed-off-by: Daan Hoogland <daan@onecht.net>

This closes #332
---
 debian/rules                               |  4 ++--
 packaging/centos63/cloud.spec              |  3 +++
 packaging/centos7/cloud-management.sudoers | 22 ----------------------
 packaging/centos7/cloud.spec               |  3 ++-
 python/lib/cloudutils/configFileOps.py     |  8 --------
 python/lib/cloudutils/serviceConfig.py     | 18 ------------------
 python/lib/cloudutils/syscfg.py            |  6 ++----
 server/conf/cloudstack-sudoers.in          |  5 ++++-
 8 files changed, 13 insertions(+), 56 deletions(-)
 delete mode 100644 packaging/centos7/cloud-management.sudoers

diff --git a/debian/rules b/debian/rules
index 888cf5bc76e..b06f929a5a8 100755
--- a/debian/rules
+++ b/debian/rules
@@ -71,8 +71,8 @@ override_dh_auto_install:
 
 	# nast hack for a couple of configuration files
 	mv $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/server/cloudstack-limits.conf $(DESTDIR)/$(SYSCONFDIR)/security/limits.d/
-	mv $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/server/cloudstack-sudoers $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/cloudstack
-	chmod 0440 $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/cloudstack
+	mv $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/server/cloudstack-sudoers $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/$(PACKAGE)
+	chmod 0440 $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/$(PACKAGE)
 
 	ln -s tomcat6-nonssl.conf $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/management/tomcat6.conf
 	ln -s server-nonssl.xml $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/management/server.xml
diff --git a/packaging/centos63/cloud.spec b/packaging/centos63/cloud.spec
index a1940963f3e..3e8c6e2ca2b 100644
--- a/packaging/centos63/cloud.spec
+++ b/packaging/centos63/cloud.spec
@@ -225,6 +225,7 @@ mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{name}/management
 mkdir -p ${RPM_BUILD_ROOT}%{_initrddir}
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d
 
 # Common
 mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/scripts
@@ -297,6 +298,7 @@ install -D client/target/pythonlibs/jasypt-1.9.2.jar ${RPM_BUILD_ROOT}%{_datadir
 install -D packaging/centos63/cloud-ipallocator.rc ${RPM_BUILD_ROOT}%{_initrddir}/%{name}-ipallocator
 install -D packaging/centos63/cloud-management.rc ${RPM_BUILD_ROOT}%{_initrddir}/%{name}-management
 install -D packaging/centos63/cloud-management.sysconfig ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/%{name}-management
+install -D server/target/conf/cloudstack-sudoers ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d/%{name}-management
 install -D packaging/centos63/tomcat.sh ${RPM_BUILD_ROOT}%{_initrddir}/tomcat.sh
 
 chmod 770 ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/management/Catalina
@@ -532,6 +534,7 @@ fi
 %dir %attr(0770,root,cloud) %{_localstatedir}/cache/%{name}/management/temp
 %dir %attr(0770,root,cloud) %{_localstatedir}/log/%{name}/management
 %config(noreplace) %{_sysconfdir}/sysconfig/%{name}-management
+%config(noreplace) %{_sysconfdir}/sudoers.d/%{name}-management
 %config(noreplace) %attr(0640,root,cloud) %{_sysconfdir}/%{name}/management/db.properties
 %config(noreplace) %{_sysconfdir}/%{name}/management/log4j-cloud.xml
 %config(noreplace) %{_sysconfdir}/%{name}/management/tomcat6-nonssl.conf
diff --git a/packaging/centos7/cloud-management.sudoers b/packaging/centos7/cloud-management.sudoers
deleted file mode 100644
index ad79cae2707..00000000000
--- a/packaging/centos7/cloud-management.sudoers
+++ /dev/null
@@ -1,22 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-# 
-#   http://www.apache.org/licenses/LICENSE-2.0
-# 
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-Cmnd_Alias CLOUDSTACK = /bin/mkdir, /bin/mount, /bin/umount, /bin/cp, /bin/chmod, /usr/bin/keytool, /bin/keytool
-
-Defaults:cloud !requiretty 
-
-cloud   ALL=(root) NOPASSWD:CLOUDSTACK
diff --git a/packaging/centos7/cloud.spec b/packaging/centos7/cloud.spec
index d9ed26e0a90..cf9c9b3fe5c 100644
--- a/packaging/centos7/cloud.spec
+++ b/packaging/centos7/cloud.spec
@@ -199,6 +199,7 @@ mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{name}/management
 mkdir -p ${RPM_BUILD_ROOT}%{_initrddir}
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d
 
 # Common
 mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/scripts
@@ -272,8 +273,8 @@ install -D client/target/pythonlibs/jasypt-1.9.2.jar ${RPM_BUILD_ROOT}%{_datadir
 
 install -D packaging/centos7/cloud-ipallocator.rc ${RPM_BUILD_ROOT}%{_initrddir}/%{name}-ipallocator
 install -D packaging/centos7/cloud-management.sysconfig ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/%{name}-management
+install -D server/target/conf/cloudstack-sudoers ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d/%{name}-management
 install -D packaging/centos7/cloud-management.service ${RPM_BUILD_ROOT}%{_unitdir}/%{name}-management.service
-install -D packaging/centos7/cloud-management.sudoers ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d/%{name}-management
 install -D packaging/centos7/cloud.limits ${RPM_BUILD_ROOT}%{_sysconfdir}/security/limits.d/cloud
 touch ${RPM_BUILD_ROOT}%{_localstatedir}/run/%{name}-management.pid
 
diff --git a/python/lib/cloudutils/configFileOps.py b/python/lib/cloudutils/configFileOps.py
index 363b78d6d36..e93182464d5 100644
--- a/python/lib/cloudutils/configFileOps.py
+++ b/python/lib/cloudutils/configFileOps.py
@@ -175,11 +175,3 @@ class configFileOps:
                 self.add_lines(oldLine, False)
             else:
                 self.replace_lines(newLine, oldLine, False)
-            
-if __name__ == '__main__':
-    cfo = configFileOps("./sudoers")
-    #cloud ALL = NOPASSWD : ALL
-    cfo.addEntry("cloud ALL ", "NOPASSWD : ALL")
-    cfo.rmEntry("Defaults", "requiretty", " ")
-    #cfo.addEntry("zone", "test", " ")
-    cfo.save()
diff --git a/python/lib/cloudutils/serviceConfig.py b/python/lib/cloudutils/serviceConfig.py
index 03891ea6019..b2adc315ad4 100755
--- a/python/lib/cloudutils/serviceConfig.py
+++ b/python/lib/cloudutils/serviceConfig.py
@@ -721,24 +721,6 @@ class cloudAgentConfig(serviceCfgBase):
     def restore(self):
         return True
 
-
-class sudoersConfig(serviceCfgBase):
-    def __init__(self, syscfg):
-        super(sudoersConfig, self).__init__(syscfg)
-        self.serviceName = "sudoers"
-    def config(self):
-        try:
-            cfo = configFileOps("/etc/sudoers", self)
-            cfo.addEntry("cloud ALL ", "NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount, /usr/bin/keytool")
-            cfo.rmEntry("Defaults", "requiretty", " ")
-            cfo.save()
-            return True
-        except:
-            raise
-
-    def restore(self):
-        return True
-
 class firewallConfigServer(firewallConfigBase):
     def __init__(self, syscfg):
         super(firewallConfigServer, self).__init__(syscfg)
diff --git a/python/lib/cloudutils/syscfg.py b/python/lib/cloudutils/syscfg.py
index 290f56ccdd6..467fcf190e3 100755
--- a/python/lib/cloudutils/syscfg.py
+++ b/python/lib/cloudutils/syscfg.py
@@ -206,12 +206,10 @@ class sysConfigServerRedhat(sysConfigServer):
     def __init__(self, glbEnv):
         super(sysConfigServerRedhat, self).__init__(glbEnv)
         self.svo = serviceOpsRedhat()
-        self.services = [sudoersConfig(self), 
-                         firewallConfigServer(self)]
+        self.services = [firewallConfigServer(self)]
     
 class sysConfigServerUbuntu(sysConfigServer):
     def __init__(self, glbEnv):
         super(sysConfigServerUbuntu, self).__init__(glbEnv)
         self.svo = serviceOpsUbuntu()
-        self.services = [sudoersConfig(self), 
-                         ubuntuFirewallConfigServer(self)]
+        self.services = [ubuntuFirewallConfigServer(self)]
diff --git a/server/conf/cloudstack-sudoers.in b/server/conf/cloudstack-sudoers.in
index 069016434c7..908d2f4733f 100644
--- a/server/conf/cloudstack-sudoers.in
+++ b/server/conf/cloudstack-sudoers.in
@@ -18,5 +18,8 @@
 # The CloudStack management server needs sudo permissions
 # without a password.
 
-@MSUSER@ ALL =NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount
+Cmnd_Alias CLOUDSTACK = /bin/mkdir, /bin/mount, /bin/umount, /bin/cp, /bin/chmod, /usr/bin/keytool, /bin/keytool
 
+Defaults:@MSUSER@ !requiretty
+
+@MSUSER@   ALL=(root) NOPASSWD:CLOUDSTACK