From daa9bda685e398397e86e71bfe4e745f2c516a30 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Thu, 21 Nov 2019 09:36:24 +0100
Subject: [PATCH] permissions and groups fixes

---
 files/cloud-init/base.sh  | 10 ++++------
 files/cloud-init/base.yml |  2 +-
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/files/cloud-init/base.sh b/files/cloud-init/base.sh
index 3f1fb44..1898384 100644
--- a/files/cloud-init/base.sh
+++ b/files/cloud-init/base.sh
@@ -4,18 +4,16 @@ set -eux
 apt-get update -y
 apt-get install sudo -y
 
-getent passwd algo || useradd -m -d /home/algo -s /bin/bash -G sudo -p '!' algo
+getent passwd algo || useradd -m -d /home/algo -s /bin/bash -G adm,netdev -p '!' algo
 
-cat <<EOF >/etc/sudoers.d/10-algo-user
-algo ALL=(ALL) NOPASSWD:ALL
-EOF
+(umask 337 && echo "algo ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/10-algo-user)
 
 cat <<EOF >/etc/ssh/sshd_config
 {{ lookup('template', 'files/cloud-init/sshd_config') }}
 EOF
 
-test -d /home/algo/.ssh || sudo -u algo mkdir -p /home/algo/.ssh/
-echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" | sudo -u algo tee /home/algo/.ssh/authorized_keys
+test -d /home/algo/.ssh || (umask 077 && sudo -u algo mkdir -p /home/algo/.ssh/)
+echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" | (umask 177 && sudo -u algo tee /home/algo/.ssh/authorized_keys)
 
 sudo apt-get remove -y --purge sshguard || true
 systemctl restart sshd.service
diff --git a/files/cloud-init/base.yml b/files/cloud-init/base.yml
index 0ab2482..5cc03fd 100644
--- a/files/cloud-init/base.yml
+++ b/files/cloud-init/base.yml
@@ -12,7 +12,7 @@ users:
   - name: algo
     homedir: /home/algo
     sudo: ALL=(ALL) NOPASSWD:ALL
-    groups: sudo
+    groups: adm,netdev
     shell: /bin/bash
     lock_passwd: true
     ssh_authorized_keys: