mirror of
https://github.com/fosrl/newt.git
synced 2026-03-01 08:16:52 +00:00
support sudo configuration and daemon mode
This commit is contained in:
miloschwartz
@@ -7,8 +7,8 @@ import (
|
|||||||
// ProcessConnection runs the same logic as POST /connection: CA cert, user create/reconcile, principals.
|
// ProcessConnection runs the same logic as POST /connection: CA cert, user create/reconcile, principals.
|
||||||
// Use this when DisableHTTPS is true (e.g. embedded in Newt) instead of calling the API.
|
// Use this when DisableHTTPS is true (e.g. embedded in Newt) instead of calling the API.
|
||||||
func (s *Server) ProcessConnection(req ConnectionRequest) {
|
func (s *Server) ProcessConnection(req ConnectionRequest) {
|
||||||
logger.Info("connection: niceId=%q username=%q metadata.sudo=%v metadata.homedir=%v",
|
logger.Info("connection: niceId=%q username=%q metadata.sudoMode=%q metadata.sudoCommands=%v metadata.homedir=%v metadata.groups=%v",
|
||||||
req.NiceId, req.Username, req.Metadata.Sudo, req.Metadata.Homedir)
|
req.NiceId, req.Username, req.Metadata.SudoMode, req.Metadata.SudoCommands, req.Metadata.Homedir, req.Metadata.Groups)
|
||||||
|
|
||||||
cfg := &s.cfg
|
cfg := &s.cfg
|
||||||
if cfg.CACertPath != "" {
|
if cfg.CACertPath != "" {
|
||||||
|
|||||||
@@ -122,6 +122,55 @@ func sudoGroup() string {
|
|||||||
return "sudo"
|
return "sudo"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const skelDir = "/etc/skel"
|
||||||
|
|
||||||
|
// copySkelInto copies files from srcDir (e.g. /etc/skel) into dstDir (e.g. user's home).
|
||||||
|
// Only creates files that don't already exist. All created paths are chowned to uid:gid.
|
||||||
|
func copySkelInto(srcDir, dstDir string, uid, gid int) {
|
||||||
|
entries, err := os.ReadDir(srcDir)
|
||||||
|
if err != nil {
|
||||||
|
if !os.IsNotExist(err) {
|
||||||
|
logger.Warn("auth-daemon: read %s: %v", srcDir, err)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
for _, e := range entries {
|
||||||
|
name := e.Name()
|
||||||
|
src := filepath.Join(srcDir, name)
|
||||||
|
dst := filepath.Join(dstDir, name)
|
||||||
|
if e.IsDir() {
|
||||||
|
if st, err := os.Stat(dst); err == nil && st.IsDir() {
|
||||||
|
copySkelInto(src, dst, uid, gid)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if err := os.MkdirAll(dst, 0755); err != nil {
|
||||||
|
logger.Warn("auth-daemon: mkdir %s: %v", dst, err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if err := os.Chown(dst, uid, gid); err != nil {
|
||||||
|
logger.Warn("auth-daemon: chown %s: %v", dst, err)
|
||||||
|
}
|
||||||
|
copySkelInto(src, dst, uid, gid)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if _, err := os.Stat(dst); err == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
data, err := os.ReadFile(src)
|
||||||
|
if err != nil {
|
||||||
|
logger.Warn("auth-daemon: read %s: %v", src, err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if err := os.WriteFile(dst, data, 0644); err != nil {
|
||||||
|
logger.Warn("auth-daemon: write %s: %v", dst, err)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if err := os.Chown(dst, uid, gid); err != nil {
|
||||||
|
logger.Warn("auth-daemon: chown %s: %v", dst, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// ensureUser creates the system user if missing, or reconciles sudo and homedir to match meta.
|
// ensureUser creates the system user if missing, or reconciles sudo and homedir to match meta.
|
||||||
func ensureUser(username string, meta ConnectionMetadata) error {
|
func ensureUser(username string, meta ConnectionMetadata) error {
|
||||||
if username == "" {
|
if username == "" {
|
||||||
@@ -137,6 +186,43 @@ func ensureUser(username string, meta ConnectionMetadata) error {
|
|||||||
return reconcileUser(u, meta)
|
return reconcileUser(u, meta)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// desiredGroups returns the exact list of supplementary groups the user should have:
|
||||||
|
// meta.Groups plus the sudo group when meta.SudoMode is "full" (deduped).
|
||||||
|
func desiredGroups(meta ConnectionMetadata) []string {
|
||||||
|
seen := make(map[string]struct{})
|
||||||
|
var out []string
|
||||||
|
for _, g := range meta.Groups {
|
||||||
|
g = strings.TrimSpace(g)
|
||||||
|
if g == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if _, ok := seen[g]; ok {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
seen[g] = struct{}{}
|
||||||
|
out = append(out, g)
|
||||||
|
}
|
||||||
|
if meta.SudoMode == "full" {
|
||||||
|
sg := sudoGroup()
|
||||||
|
if _, ok := seen[sg]; !ok {
|
||||||
|
out = append(out, sg)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
// setUserGroups sets the user's supplementary groups to exactly groups (local mirrors metadata).
|
||||||
|
// When groups is empty, clears all supplementary groups (usermod -G "").
|
||||||
|
func setUserGroups(username string, groups []string) {
|
||||||
|
list := strings.Join(groups, ",")
|
||||||
|
cmd := exec.Command("usermod", "-G", list, username)
|
||||||
|
if out, err := cmd.CombinedOutput(); err != nil {
|
||||||
|
logger.Warn("auth-daemon: usermod -G %s: %v (output: %s)", list, err, string(out))
|
||||||
|
} else {
|
||||||
|
logger.Info("auth-daemon: set %s supplementary groups to %s", username, list)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func createUser(username string, meta ConnectionMetadata) error {
|
func createUser(username string, meta ConnectionMetadata) error {
|
||||||
args := []string{"-s", "/bin/bash"}
|
args := []string{"-s", "/bin/bash"}
|
||||||
if meta.Homedir {
|
if meta.Homedir {
|
||||||
@@ -150,56 +236,96 @@ func createUser(username string, meta ConnectionMetadata) error {
|
|||||||
return fmt.Errorf("useradd %s: %w (output: %s)", username, err, string(out))
|
return fmt.Errorf("useradd %s: %w (output: %s)", username, err, string(out))
|
||||||
}
|
}
|
||||||
logger.Info("auth-daemon: created user %s (homedir=%v)", username, meta.Homedir)
|
logger.Info("auth-daemon: created user %s (homedir=%v)", username, meta.Homedir)
|
||||||
if meta.Sudo {
|
if meta.Homedir {
|
||||||
group := sudoGroup()
|
if u, err := user.Lookup(username); err == nil && u.HomeDir != "" {
|
||||||
cmd := exec.Command("usermod", "-aG", group, username)
|
uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
|
||||||
if out, err := cmd.CombinedOutput(); err != nil {
|
copySkelInto(skelDir, u.HomeDir, uid, gid)
|
||||||
logger.Warn("auth-daemon: usermod -aG %s %s: %v (output: %s)", group, username, err, string(out))
|
|
||||||
} else {
|
|
||||||
logger.Info("auth-daemon: added %s to %s", username, group)
|
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
setUserGroups(username, desiredGroups(meta))
|
||||||
|
switch meta.SudoMode {
|
||||||
|
case "full":
|
||||||
if err := configurePasswordlessSudo(username); err != nil {
|
if err := configurePasswordlessSudo(username); err != nil {
|
||||||
logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", username, err)
|
logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", username, err)
|
||||||
}
|
}
|
||||||
|
case "commands":
|
||||||
|
if len(meta.SudoCommands) > 0 {
|
||||||
|
if err := configureSudoCommands(username, meta.SudoCommands); err != nil {
|
||||||
|
logger.Warn("auth-daemon: configure sudo commands for %s: %v", username, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
removeSudoers(username)
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// configurePasswordlessSudo creates a sudoers.d file to allow passwordless sudo for the user
|
const sudoersFilePrefix = "90-pangolin-"
|
||||||
func configurePasswordlessSudo(username string) error {
|
|
||||||
sudoersFile := filepath.Join("/etc/sudoers.d", fmt.Sprintf("90-pangolin-%s", username))
|
|
||||||
content := fmt.Sprintf("# Created by newt auth-daemon\n%s ALL=(ALL) NOPASSWD:ALL\n", username)
|
|
||||||
|
|
||||||
// Write to temp file first
|
func sudoersPath(username string) string {
|
||||||
|
return filepath.Join("/etc/sudoers.d", sudoersFilePrefix+username)
|
||||||
|
}
|
||||||
|
|
||||||
|
// writeSudoersFile writes content to the user's sudoers.d file and validates with visudo.
|
||||||
|
func writeSudoersFile(username, content string) error {
|
||||||
|
sudoersFile := sudoersPath(username)
|
||||||
tmpFile := sudoersFile + ".tmp"
|
tmpFile := sudoersFile + ".tmp"
|
||||||
if err := os.WriteFile(tmpFile, []byte(content), 0440); err != nil {
|
if err := os.WriteFile(tmpFile, []byte(content), 0440); err != nil {
|
||||||
return fmt.Errorf("write temp sudoers file: %w", err)
|
return fmt.Errorf("write temp sudoers file: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate with visudo
|
|
||||||
cmd := exec.Command("visudo", "-c", "-f", tmpFile)
|
cmd := exec.Command("visudo", "-c", "-f", tmpFile)
|
||||||
if out, err := cmd.CombinedOutput(); err != nil {
|
if out, err := cmd.CombinedOutput(); err != nil {
|
||||||
os.Remove(tmpFile)
|
os.Remove(tmpFile)
|
||||||
return fmt.Errorf("visudo validation failed: %w (output: %s)", err, string(out))
|
return fmt.Errorf("visudo validation failed: %w (output: %s)", err, string(out))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Move to final location
|
|
||||||
if err := os.Rename(tmpFile, sudoersFile); err != nil {
|
if err := os.Rename(tmpFile, sudoersFile); err != nil {
|
||||||
os.Remove(tmpFile)
|
os.Remove(tmpFile)
|
||||||
return fmt.Errorf("move sudoers file: %w", err)
|
return fmt.Errorf("move sudoers file: %w", err)
|
||||||
}
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// configurePasswordlessSudo creates a sudoers.d file to allow passwordless sudo for the user.
|
||||||
|
func configurePasswordlessSudo(username string) error {
|
||||||
|
content := fmt.Sprintf("# Created by Pangolin auth-daemon\n%s ALL=(ALL) NOPASSWD:ALL\n", username)
|
||||||
|
if err := writeSudoersFile(username, content); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
logger.Info("auth-daemon: configured passwordless sudo for %s", username)
|
logger.Info("auth-daemon: configured passwordless sudo for %s", username)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// removePasswordlessSudo removes the sudoers.d file for the user
|
// configureSudoCommands creates a sudoers.d file allowing only the listed commands (NOPASSWD).
|
||||||
func removePasswordlessSudo(username string) {
|
// Each command should be a full path (e.g. /usr/bin/systemctl).
|
||||||
sudoersFile := filepath.Join("/etc/sudoers.d", fmt.Sprintf("90-newt-%s", username))
|
func configureSudoCommands(username string, commands []string) error {
|
||||||
|
var b strings.Builder
|
||||||
|
b.WriteString("# Created by Pangolin auth-daemon (restricted commands)\n")
|
||||||
|
n := 0
|
||||||
|
for _, c := range commands {
|
||||||
|
c = strings.TrimSpace(c)
|
||||||
|
if c == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
fmt.Fprintf(&b, "%s ALL=(ALL) NOPASSWD: %s\n", username, c)
|
||||||
|
n++
|
||||||
|
}
|
||||||
|
if n == 0 {
|
||||||
|
return fmt.Errorf("no valid sudo commands")
|
||||||
|
}
|
||||||
|
if err := writeSudoersFile(username, b.String()); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
logger.Info("auth-daemon: configured restricted sudo for %s (%d commands)", username, len(commands))
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// removeSudoers removes the sudoers.d file for the user.
|
||||||
|
func removeSudoers(username string) {
|
||||||
|
sudoersFile := sudoersPath(username)
|
||||||
if err := os.Remove(sudoersFile); err != nil && !os.IsNotExist(err) {
|
if err := os.Remove(sudoersFile); err != nil && !os.IsNotExist(err) {
|
||||||
logger.Warn("auth-daemon: remove passwordless sudo for %s: %v", username, err)
|
logger.Warn("auth-daemon: remove sudoers for %s: %v", username, err)
|
||||||
} else if err == nil {
|
} else if err == nil {
|
||||||
logger.Info("auth-daemon: removed passwordless sudo for %s", username)
|
logger.Info("auth-daemon: removed sudoers for %s", username)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -209,66 +335,37 @@ func mustAtoi(s string) int {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func reconcileUser(u *user.User, meta ConnectionMetadata) error {
|
func reconcileUser(u *user.User, meta ConnectionMetadata) error {
|
||||||
group := sudoGroup()
|
setUserGroups(u.Username, desiredGroups(meta))
|
||||||
inGroup, err := userInGroup(u.Username, group)
|
switch meta.SudoMode {
|
||||||
if err != nil {
|
case "full":
|
||||||
logger.Warn("auth-daemon: check group %s: %v", group, err)
|
|
||||||
inGroup = false
|
|
||||||
}
|
|
||||||
if meta.Sudo && !inGroup {
|
|
||||||
cmd := exec.Command("usermod", "-aG", group, u.Username)
|
|
||||||
if out, err := cmd.CombinedOutput(); err != nil {
|
|
||||||
logger.Warn("auth-daemon: usermod -aG %s %s: %v (output: %s)", group, u.Username, err, string(out))
|
|
||||||
} else {
|
|
||||||
logger.Info("auth-daemon: added %s to %s", u.Username, group)
|
|
||||||
}
|
|
||||||
} else if !meta.Sudo && inGroup {
|
|
||||||
cmd := exec.Command("gpasswd", "-d", u.Username, group)
|
|
||||||
if out, err := cmd.CombinedOutput(); err != nil {
|
|
||||||
logger.Warn("auth-daemon: gpasswd -d %s %s: %v (output: %s)", u.Username, group, err, string(out))
|
|
||||||
} else {
|
|
||||||
logger.Info("auth-daemon: removed %s from %s", u.Username, group)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Configure passwordless sudo
|
|
||||||
if meta.Sudo {
|
|
||||||
if err := configurePasswordlessSudo(u.Username); err != nil {
|
if err := configurePasswordlessSudo(u.Username); err != nil {
|
||||||
logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", u.Username, err)
|
logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", u.Username, err)
|
||||||
}
|
}
|
||||||
} else {
|
case "commands":
|
||||||
removePasswordlessSudo(u.Username)
|
if len(meta.SudoCommands) > 0 {
|
||||||
|
if err := configureSudoCommands(u.Username, meta.SudoCommands); err != nil {
|
||||||
|
logger.Warn("auth-daemon: configure sudo commands for %s: %v", u.Username, err)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
removeSudoers(u.Username)
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
removeSudoers(u.Username)
|
||||||
}
|
}
|
||||||
if meta.Homedir && u.HomeDir != "" {
|
if meta.Homedir && u.HomeDir != "" {
|
||||||
|
uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
|
||||||
if st, err := os.Stat(u.HomeDir); err != nil || !st.IsDir() {
|
if st, err := os.Stat(u.HomeDir); err != nil || !st.IsDir() {
|
||||||
if err := os.MkdirAll(u.HomeDir, 0755); err != nil {
|
if err := os.MkdirAll(u.HomeDir, 0755); err != nil {
|
||||||
logger.Warn("auth-daemon: mkdir %s: %v", u.HomeDir, err)
|
logger.Warn("auth-daemon: mkdir %s: %v", u.HomeDir, err)
|
||||||
} else {
|
} else {
|
||||||
uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
|
|
||||||
_ = os.Chown(u.HomeDir, uid, gid)
|
_ = os.Chown(u.HomeDir, uid, gid)
|
||||||
|
copySkelInto(skelDir, u.HomeDir, uid, gid)
|
||||||
logger.Info("auth-daemon: created home %s for %s", u.HomeDir, u.Username)
|
logger.Info("auth-daemon: created home %s for %s", u.HomeDir, u.Username)
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
// Ensure .bashrc etc. exist (e.g. home existed but was empty or skel was minimal)
|
||||||
|
copySkelInto(skelDir, u.HomeDir, uid, gid)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func userInGroup(username, groupName string) (bool, error) {
|
|
||||||
// getent group wheel returns "wheel:x:10:user1,user2"
|
|
||||||
cmd := exec.Command("getent", "group", groupName)
|
|
||||||
out, err := cmd.Output()
|
|
||||||
if err != nil {
|
|
||||||
return false, err
|
|
||||||
}
|
|
||||||
parts := strings.SplitN(strings.TrimSpace(string(out)), ":", 4)
|
|
||||||
if len(parts) < 4 {
|
|
||||||
return false, nil
|
|
||||||
}
|
|
||||||
members := strings.Split(parts[3], ",")
|
|
||||||
for _, m := range members {
|
|
||||||
if strings.TrimSpace(m) == username {
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false, nil
|
|
||||||
}
|
|
||||||
|
|||||||
@@ -13,8 +13,10 @@ func (s *Server) registerRoutes() {
|
|||||||
|
|
||||||
// ConnectionMetadata is the metadata object in POST /connection.
|
// ConnectionMetadata is the metadata object in POST /connection.
|
||||||
type ConnectionMetadata struct {
|
type ConnectionMetadata struct {
|
||||||
Sudo bool `json:"sudo"`
|
SudoMode string `json:"sudoMode"` // "none" | "full" | "commands"
|
||||||
Homedir bool `json:"homedir"`
|
SudoCommands []string `json:"sudoCommands"` // used when sudoMode is "commands"
|
||||||
|
Homedir bool `json:"homedir"`
|
||||||
|
Groups []string `json:"groups"` // system groups to add the user to
|
||||||
}
|
}
|
||||||
|
|
||||||
// ConnectionRequest is the JSON body for POST /connection.
|
// ConnectionRequest is the JSON body for POST /connection.
|
||||||
|
|||||||
35
main.go
35
main.go
@@ -1378,15 +1378,18 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
|
|||||||
|
|
||||||
// Define the structure of the incoming message
|
// Define the structure of the incoming message
|
||||||
type SSHCertData struct {
|
type SSHCertData struct {
|
||||||
MessageId int `json:"messageId"`
|
MessageId int `json:"messageId"`
|
||||||
AgentPort int `json:"agentPort"`
|
AgentPort int `json:"agentPort"`
|
||||||
AgentHost string `json:"agentHost"`
|
AgentHost string `json:"agentHost"`
|
||||||
CACert string `json:"caCert"`
|
ExternalAuthDaemon bool `json:"externalAuthDaemon"`
|
||||||
Username string `json:"username"`
|
CACert string `json:"caCert"`
|
||||||
NiceID string `json:"niceId"`
|
Username string `json:"username"`
|
||||||
Metadata struct {
|
NiceID string `json:"niceId"`
|
||||||
Sudo bool `json:"sudo"`
|
Metadata struct {
|
||||||
Homedir bool `json:"homedir"`
|
SudoMode string `json:"sudoMode"`
|
||||||
|
SudoCommands []string `json:"sudoCommands"`
|
||||||
|
Homedir bool `json:"homedir"`
|
||||||
|
Groups []string `json:"groups"`
|
||||||
} `json:"metadata"`
|
} `json:"metadata"`
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1406,7 +1409,7 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Check if we're running the auth daemon internally
|
// Check if we're running the auth daemon internally
|
||||||
if authDaemonServer != nil {
|
if authDaemonServer != nil && !certData.ExternalAuthDaemon { // if the auth daemon is running internally and the external auth daemon is not enabled
|
||||||
// Call ProcessConnection directly when running internally
|
// Call ProcessConnection directly when running internally
|
||||||
logger.Debug("Calling internal auth daemon ProcessConnection for user %s", certData.Username)
|
logger.Debug("Calling internal auth daemon ProcessConnection for user %s", certData.Username)
|
||||||
|
|
||||||
@@ -1415,8 +1418,10 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
|
|||||||
NiceId: certData.NiceID,
|
NiceId: certData.NiceID,
|
||||||
Username: certData.Username,
|
Username: certData.Username,
|
||||||
Metadata: authdaemon.ConnectionMetadata{
|
Metadata: authdaemon.ConnectionMetadata{
|
||||||
Sudo: certData.Metadata.Sudo,
|
SudoMode: certData.Metadata.SudoMode,
|
||||||
Homedir: certData.Metadata.Homedir,
|
SudoCommands: certData.Metadata.SudoCommands,
|
||||||
|
Homedir: certData.Metadata.Homedir,
|
||||||
|
Groups: certData.Metadata.Groups,
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
|
|
||||||
@@ -1450,8 +1455,10 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
|
|||||||
"niceId": certData.NiceID,
|
"niceId": certData.NiceID,
|
||||||
"username": certData.Username,
|
"username": certData.Username,
|
||||||
"metadata": map[string]interface{}{
|
"metadata": map[string]interface{}{
|
||||||
"sudo": certData.Metadata.Sudo,
|
"sudoMode": certData.Metadata.SudoMode,
|
||||||
"homedir": certData.Metadata.Homedir,
|
"sudoCommands": certData.Metadata.SudoCommands,
|
||||||
|
"homedir": certData.Metadata.Homedir,
|
||||||
|
"groups": certData.Metadata.Groups,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user