Allow a way to explicitly disable sudo for a user

Bug #1771468 reported by Jacob Bednarz
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released

Bug Description

Whilst building out a new set of AWS AMIs I have a need to explicitly
deny `sudo` access to a subset of users. We are using `cloud-init` for
the management of these user resources via the users and groups

By default, `cloud-init` doesn't assign `sudo` permissions to a user if
you leave it out of the `users` dictionary[2]. This is a great start
however it does mean that w're relying on an external tool (and their
maintainers) for what they think is a suitable default. While we are
aligned now, there is a possibility in the future that this may change
and leave us in a position where we are inadvertently assigning `sudo`
to users that we may not wish to. Fingers crossed our test suite would
cover this happening however I'd prefer a belt and braces approach for
more confidence.

Based on the above, I'd like to propose that providing `sudo: False` in
the user dictionary would prevent the user from ever gaining elevated

If I've dug into this correctly, I think this would be a relatively easy
feature to implement. It would involve updating
`cloudinit/distros/` to be the following:

# Configure sudo access
if 'sudo' in kwargs and kwargs['sudo'] is not False:
  self.write_sudo_rules(name, kwargs['sudo'])

From my testing this _should_ be enough but open to hear other options.


Related branches

Revision history for this message
Jacob Bednarz (jacobbednarz) wrote :
Revision history for this message
Chad Smith (chad.smith) wrote :

An upstream commit landed for this bug.

To view that commit see the following URL:

Changed in cloud-init:
status: New → Fix Committed
Revision history for this message
Scott Moser (smoser) wrote : Fixed in cloud-init version 18.3.

This bug is believed to be fixed in cloud-init in version 18.3. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.