Allow a way to explicitly disable sudo for a user

Bug #1771468 reported by Jacob Bednarz on 2018-05-16
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

Whilst building out a new set of AWS AMIs I have a need to explicitly
deny `sudo` access to a subset of users. We are using `cloud-init` for
the management of these user resources via the users and groups

By default, `cloud-init` doesn't assign `sudo` permissions to a user if
you leave it out of the `users` dictionary[2]. This is a great start
however it does mean that w're relying on an external tool (and their
maintainers) for what they think is a suitable default. While we are
aligned now, there is a possibility in the future that this may change
and leave us in a position where we are inadvertently assigning `sudo`
to users that we may not wish to. Fingers crossed our test suite would
cover this happening however I'd prefer a belt and braces approach for
more confidence.

Based on the above, I'd like to propose that providing `sudo: False` in
the user dictionary would prevent the user from ever gaining elevated

If I've dug into this correctly, I think this would be a relatively easy
feature to implement. It would involve updating
`cloudinit/distros/` to be the following:

# Configure sudo access
if 'sudo' in kwargs and kwargs['sudo'] is not False:
  self.write_sudo_rules(name, kwargs['sudo'])

From my testing this _should_ be enough but open to hear other options.


Related branches

Chad Smith (chad.smith) wrote :

An upstream commit landed for this bug.

To view that commit see the following URL:

Changed in cloud-init:
status: New → Fix Committed

This bug is believed to be fixed in cloud-init in version 18.3. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers