Fix undefined User_Alias HIPAA_ACTOR in sudoers

[zwets]

This adds the missing User_Alias HIPAA_ACTOR to /etc/sudoers.d/cchq. Visudo warns about this:

$ sudo visudo /etc/sudoers.d/cchq # and save the file without changes
Warning: /etc/sudoers.d/cchq:24:28: User_Alias "HIPAA_ACTOR" referenced but not defined

This refers to line 23:

HIPAA_ACTOR ALL = (ALL) ALL

Which implies that a User_alias HIPAA_ACTOR has been defined, however there is none such and so this line has no effect.¹

There is little practical impact because {{ cchq_user }}, the intended HIPAA_ACTOR, is a member of HIPAA_USERS, who have nearly the same privileges, and additionally there is this line:

{{ cchq_user }} ALL = (ALL) NOPASSWD: HQCOMMANDS

Which presumably was put there as a workaround when HIPAA_ACTOR failed to grant the desired privileges - precisely because it was not defined.

So, this patch does two things:

• Define the User_Alias HIPAA_ACTOR as the intended {{ cchq_user }}
• Replace the literal {{ cchq_user }} by the intended HIPAA_ACTOR alias

Footnotes

1. The Runas_Alias by the same name is in a separate "namespace", and can't be mistaken for a User_Alias: it only occurs between parentheses, whereas User_Alias is the leftmost token of a rule. Even so, sudoers(5) advises against using the same name (to avoid confusion) though in this case it makes sense, as the intention clearly is that the Runas and User aliases have the same member(s). ↩

[Copilot]

Pull request overview

This PR fixes a visudo warning and restores intended behavior in the bootstrap-users sudoers template by defining the missing User_Alias HIPAA_ACTOR and using it consistently for HQCOMMANDS privileges.

Changes:

• Add User_Alias HIPAA_ACTOR = {{ cchq_user }} to eliminate the undefined-alias warning.
• Replace the literal {{ cchq_user }} sudo rule with the HIPAA_ACTOR alias for consistency.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Defining User_Alias HIPAA_ACTOR makes the existing rule HIPAA_ACTOR ALL = (ALL) ALL (later in this file) become effective, which grants {{ cchq_user }} full sudo access (any command as any runas user). If the intent is only to allow the limited HQCOMMANDS set, consider narrowing/removing the broad (ALL) ALL rule, or add an explicit comment here explaining why full sudo is required for the HIPAA actor to avoid accidental over-privileging in the future.

[millerdev]

LGTM. Reconsidering after more careful reading of the Copilot review. Waiting on secondary review by @dannyroberts, @gherceg, and/or @AmitPhulera.