From 5d0f315ddd7c85f6b2d3a1c6bb4b012d63ced4a2 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Mon, 23 Aug 2021 15:19:42 +0900
Subject: [PATCH] docs: update sudoers example to specify sha224 digests

Specifying digests is necessary when non-root users are allowed to
write files in `/usr/local/bin`.

Fix issue 18

Thanks to jandubois for pointing out.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 etc_sudoers.d/README.md |  7 +++++++
 etc_sudoers.d/vde_vmnet | 12 ++++++++----
 2 files changed, 15 insertions(+), 4 deletions(-)
 create mode 100644 etc_sudoers.d/README.md

diff --git a/etc_sudoers.d/README.md b/etc_sudoers.d/README.md
new file mode 100644
index 0000000..975842e
--- /dev/null
+++ b/etc_sudoers.d/README.md
@@ -0,0 +1,7 @@
+# Example sudoers file for running `vde_vmnet`
+
+To allow non-root users to run `vde_vmnet`, use [launchd](../launchd) *or*
+install [the `vde_vmnet` file in this directory](./vde_vmnet) as `/etc/sudoers.d/vde_vmnet`.
+
+At least you have to modify the `sha224` digests in [`/etc/sudoers.d/vde_vmnet`](./vde_vmnet).
+See the comment lines in the file for the further information.
diff --git a/etc_sudoers.d/vde_vmnet b/etc_sudoers.d/vde_vmnet
index 33e8cf5..d77a25f 100644
--- a/etc_sudoers.d/vde_vmnet
+++ b/etc_sudoers.d/vde_vmnet
@@ -2,14 +2,18 @@
 
 # To allow non-root users to run `vde_vmnet`, use launchd OR install this file as `/etc/sudoers.d/vde_vmnet`.
 
+# Prerequisite: Replace dummy sha224 digest values in this file with the actual sha224 digest values.
+#  - `openssl dgst -binary -sha224 /usr/local/bin/vde_switch | openssl base64`
+#  - `openssl dgst -binary -sha224 /usr/local/bin/vde_vmnet | openssl base64`
+
 # Usage:
 # - sudo -u daemon -g staff /usr/local/bin/vde_switch ...
 # - sudo /usr/local/bin/vde_vmnet ...
 
 # Entries for shared mode (192.168.105.0/24)
-%staff ALL=(daemon:staff) NOPASSWD:NOSETENV: /usr/local/bin/vde_switch --sock=/var/run/vde.ctl --pidfile=/var/run/vde.pid --group=staff --dirmode=0770
-%staff ALL=(root:root) NOPASSWD:NOSETENV: /usr/local/bin/vde_vmnet --vmnet-gateway=192.168.105.1 /var/run/vde.ctl
+%staff ALL=(daemon:staff) NOPASSWD:NOSETENV: sha224:N9Msbbq+1xHLHUYgtkCQ/vDvY6sWpKUdZoJZ5g== /usr/local/bin/vde_switch --sock=/var/run/vde.ctl --pidfile=/var/run/vde.pid --group=staff --dirmode=0770
+%staff ALL=(root:root) NOPASSWD:NOSETENV: sha224:XQMHsLqtLONKq3yskqPXLFfKli/60d02UALUXg== /usr/local/bin/vde_vmnet --vmnet-gateway=192.168.105.1 /var/run/vde.ctl
 
 # Entries for bridged mode (en0)
-%staff ALL=(daemon:staff) NOPASSWD:NOSETENV: /usr/local/bin/vde_switch --sock=/var/run/vde.bridged.en0.ctl --pidfile=/var/run/vde.bridged.en0.pid --group=staff --dirmode=0770
-%staff ALL=(root:root) NOPASSWD:NOSETENV: /usr/local/bin/vde_vmnet --vmnet-mode=bridged --vmnet-interface=en0 /var/run/vde.bridged.en0.ctl
+%staff ALL=(daemon:staff) NOPASSWD:NOSETENV: sha224:N9Msbbq+1xHLHUYgtkCQ/vDvY6sWpKUdZoJZ5g== /usr/local/bin/vde_switch --sock=/var/run/vde.bridged.en0.ctl --pidfile=/var/run/vde.bridged.en0.pid --group=staff --dirmode=0770
+%staff ALL=(root:root) NOPASSWD:NOSETENV: sha224:XQMHsLqtLONKq3yskqPXLFfKli/60d02UALUXg== /usr/local/bin/vde_vmnet --vmnet-mode=bridged --vmnet-interface=en0 /var/run/vde.bridged.en0.ctl