$OpenBSD: patch-google_compute_engine_accounts_accounts_utils_py,v 1.1.1.1 2017/06/29 14:35:10 ajacoutot Exp $

Index: google_compute_engine/accounts/accounts_utils.py
--- google_compute_engine/accounts/accounts_utils.py.orig
+++ google_compute_engine/accounts/accounts_utils.py
@@ -43,7 +43,7 @@ class AccountsUtils(object):
     """
     self.logger = logger
     self.google_sudoers_group = 'google-sudoers'
-    self.google_sudoers_file = '/etc/sudoers.d/google_sudoers'
+    self.google_sudoers_file = '/etc/doas.conf'
     self.google_users_dir = '/var/lib/google'
     self.google_users_file = os.path.join(self.google_users_dir, 'google_users')
 
@@ -75,17 +75,18 @@ class AccountsUtils(object):
       except subprocess.CalledProcessError as e:
         self.logger.warning('Could not create the sudoers group. %s.', str(e))
 
-    if not os.path.exists(self.google_sudoers_file):
-      try:
-        with open(self.google_sudoers_file, 'w') as group:
-          message = '%{0} ALL=(ALL:ALL) NOPASSWD:ALL'.format(
-              self.google_sudoers_group)
-          group.write(message)
-      except IOError as e:
-        self.logger.error(
-            'Could not write sudoers file. %s. %s',
-            self.google_sudoers_file, str(e))
-        return
+    try:
+      with open(self.google_sudoers_file, 'a+') as group:
+        group.seek(0)
+        message = 'permit nopass keepenv :{0}'.format(
+            self.google_sudoers_group)
+        if not any(message == x.rstrip('\r\n') for x in group):
+            group.write(message + '\n')
+    except IOError as e:
+      self.logger.error(
+          'Could not write sudoers file. %s. %s',
+          self.google_sudoers_file, str(e))
+      return
 
     file_utils.SetPermissions(
         self.google_sudoers_file, mode=0o440, uid=0, gid=0)
@@ -126,7 +127,7 @@ class AccountsUtils(object):
     #
     # To solve the issue, make the password '*' which is also recognized
     # as locked but does not prevent SSH login.
-    command = ['useradd', '-m', '-s', '/bin/bash', '-p', '*', user]
+    command = ['useradd', '-m', user]
     try:
       subprocess.check_call(command)
     except subprocess.CalledProcessError as e:
