From 64f23c918b9f43f6ab421dcbfdef4cd055c0f0cc Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Wed, 7 Jan 2015 21:45:44 +0000 Subject: [PATCH] Correct revoke-sudo to actually work * jenkins/jobs/macros.yaml(revoke-sudo): Simplify the sudoers include file deletion to not rely on a conditional check, and then test that it actually worked. Previously, systems where /etc/sudoers.d was non-world-readable caused it to be a silent no-op. Change-Id: Ie713482acbd454eeb58c3481e8b8820049daaab8 --- jenkins/jobs/macros.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jenkins/jobs/macros.yaml b/jenkins/jobs/macros.yaml index bd1dfcfa70..f00356c8ed 100644 --- a/jenkins/jobs/macros.yaml +++ b/jenkins/jobs/macros.yaml @@ -15,10 +15,10 @@ name: revoke-sudo builders: - shell: | - #!/bin/bash - if [ -f /etc/sudoers.d/jenkins-sudo ] ; then - sudo rm /etc/sudoers.d/jenkins-sudo - fi + #!/bin/bash -x + sudo rm -f /etc/sudoers.d/jenkins-sudo + # Prove that general sudo access is actually revoked + ! sudo -n true - builder: name: coverage