From dc4b872491bb88007a6a1808adef7ba0f2b938f3 Mon Sep 17 00:00:00 2001
From: Alexander van Amesfoort <amesfoort@astron.nl>
Date: Mon, 22 Aug 2016 12:56:36 +0000
Subject: [PATCH] Task #9127: add setcap_cobalt sudoers file

---
 .gitattributes                                     | 1 +
 RTCP/Cobalt/OutputProc/etc/sudoers.d/setcap_cobalt | 5 +++++
 2 files changed, 6 insertions(+)
 create mode 100644 RTCP/Cobalt/OutputProc/etc/sudoers.d/setcap_cobalt

diff --git a/.gitattributes b/.gitattributes
index 4376ab56ee0..826c72630ea 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -4629,6 +4629,7 @@ RTCP/Cobalt/OpenCL_FFT/src/libOpenCL_FFT.a.not -text
 RTCP/Cobalt/OpenCL_FFT/src/main.cpp -text
 RTCP/Cobalt/OpenCL_FFT/src/param.txt -text
 RTCP/Cobalt/OpenCL_FFT/src/procs.h -text
+RTCP/Cobalt/OutputProc/etc/sudoers.d/setcap_cobalt -text
 RTCP/Cobalt/OutputProc/scripts/bf-output-loss.sh eol=lf
 RTCP/Cobalt/OutputProc/test/tMSWriterCorrelated_.run.in eol=lf
 RTCP/Cobalt/OutputProc/test/tMeasurementSetFormat.parset-j2000 -text
diff --git a/RTCP/Cobalt/OutputProc/etc/sudoers.d/setcap_cobalt b/RTCP/Cobalt/OutputProc/etc/sudoers.d/setcap_cobalt
new file mode 100644
index 00000000000..97ab1655685
--- /dev/null
+++ b/RTCP/Cobalt/OutputProc/etc/sudoers.d/setcap_cobalt
@@ -0,0 +1,5 @@
+## Allows lofarbuild to add the listed capabilities to any single writable file for automated roll-out.
+## Attempts to disallow adding another set of capabilities.
+## Does not attempt to disallow adding the listed capabilities to other files, which would be trivial to bypass.
+Cmnd_Alias SETCAP_COBALT = /sbin/setcap cap_net_raw\,cap_sys_nice\,cap_ipc_lock+ep *, ! /sbin/setcap cap_net_raw\,cap_sys_nice\,cap_ipc_lock+ep * *
+lofarbuild ALL = (root) NOPASSWD: SETCAP_COBALT
-- 
GitLab