diff --git a/manifests/init.pp b/manifests/init.pp index b230384..9fb9df6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,219 +1,224 @@ # Class: sudo # # This module manages sudo # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*package*] # Name of the package. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*package_ensure*] # Allows you to ensure a particular version of a package # Default: present / lastest for RHEL < 5.5 # # [*package_source*] # Where to find the package. Only set this on AIX (required) and # Solaris (required) or if your platform is not supported or you # know, what you're doing. # # The default for aix is the perzl sudo package. For solaris 10 we # use the official www.sudo.ws binary package. # # Default: AIX: perzl.org # Solaris: www.sudo.ws # # [*package_provider*] # Allows you to set a package provider. # Default: AIX: rpm # # [*package_admin_file*] # Where to find a Solaris 10 package admin file for # an unattended installation. We do not supply a default file, so # this has to be staged separately # # Only set this on Solaris 10 (required) # Default: /var/sadm/install/admin/puppet # +# [*secure_path*] +# The secure_path variable in sudoers. The new default is secure, where the old is not. +# The old default is: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin +# Default: /sbin:/usr/sbin:/bin:/usr/bin +# # [*purge*] # Whether or not to purge sudoers.d directory # Default: true # # [*purge_ignore*] # Files to exclude from purging in sudoers.d directory # Default: undef # # [*suffix*] # Adds a custom suffix to all files created in sudoers.d directory. # # [*config_file*] # Main configuration file. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*config_dir*] # Main directory containing sudo snippets, imported via # includedir stanza in sudoers file # Default: auto-set, platform specific # # [*extra_include_dirs*] # Array of additional directories containing sudo snippets # Default: undef # # [*content*] # Alternate content file location # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*ldap_enable*] # Enable ldap support on the package # Default: false # # [*delete_on_error*] # True if you want that the configuration is deleted on an error # during a complete visudo -c run. If false it will just return # an error and will add a comment to the sudoers configuration so # that the resource will be checked at the following run. # Default: true # # [*validate_single*] # Do a validate on the "single" file in the sudoers.d directory. # If the validate fail the file will not be saved or changed # if a file already exist. # Default: false # # [*wheel_config*] # How to configure the wheel group in /etc/sudoers # Options are either not to configure it it, configure it prompting for password, # or configuring it without password prompt. # Default: 'absent' (don't configure it at all) # # [*use_sudoreplay*] # Boolean to enable the usage of sudoreplay. # Default: false # # [*sudoreplay_discard*] # Array of additional command to discard in sudo log. # Default: undef # # [*configs*] # A hash of sudo::conf's # Default: {} # # Actions: # Installs sudo package and checks the state of sudoers file and # sudoers.d directory. # # Requires: # Nothing # # Sample Usage: # class { 'sudo': } # # [Remember: No empty lines between comments and class definition] class sudo ( Boolean $enable = true, Optional[String] $package = $sudo::params::package, Optional[String] $package_ldap = $sudo::params::package_ldap, String $package_ensure = $sudo::params::package_ensure, Optional[String] $package_source = $sudo::params::package_source, Optional[String] $package_provider = $sudo::params::package_provider, Optional[String] $package_admin_file = $sudo::params::package_admin_file, Boolean $purge = true, Optional[Variant[String, Array[String]]] $purge_ignore = undef, Optional[String] $suffix = undef, String $config_file = $sudo::params::config_file, Boolean $config_file_replace = true, String $config_file_mode = $sudo::params::config_file_mode, String $config_dir = $sudo::params::config_dir, String $config_dir_mode = $sudo::params::config_dir_mode, Optional[Array[String]] $extra_include_dirs = undef, String $content = $sudo::params::content, Boolean $ldap_enable = false, Boolean $delete_on_error = true, Boolean $validate_single = false, Boolean $config_dir_keepme = $sudo::params::config_dir_keepme, Boolean $use_sudoreplay = false, Enum['absent','password','nopassword'] $wheel_config = 'absent', Optional[Array[String]] $sudoreplay_discard = undef, Hash $configs = {}, ) inherits sudo::params { case $enable { true: { $dir_ensure = 'directory' $file_ensure = 'present' } false: { $dir_ensure = 'absent' $file_ensure = 'absent' } default: { fail('no $enable is set') } } case $ldap_enable { true: { if $package_ldap == undef { fail('on your os ldap support for sudo is not yet supported') } $package_real = $package_ldap } false: { $package_real = $package } default: { fail('no $ldap_enable is set') } } if $package_real { class { 'sudo::package': package => $package_real, package_ensure => $package_ensure, package_source => $package_source, package_provider => $package_provider, package_admin_file => $package_admin_file, ldap_enable => $ldap_enable, before => [ File[$config_file], File[$config_dir], ], } } file { $config_file: ensure => $file_ensure, owner => 'root', group => $sudo::params::config_file_group, mode => $config_file_mode, replace => $config_file_replace, content => template($content), } file { $config_dir: ensure => $dir_ensure, owner => 'root', group => $sudo::params::config_file_group, mode => $config_dir_mode, recurse => $purge, purge => $purge, ignore => $purge_ignore, } if $config_dir_keepme { file { "${config_dir}/.keep-me": ensure => file, owner => 'root', group => $sudo::params::config_file_group, } } $configs.each |$config_name, $config| { sudo::conf { $config_name: * => $config, } } } diff --git a/manifests/params.pp b/manifests/params.pp index 9ed8e42..4b0f55a 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,245 +1,282 @@ class sudo::params { $content_base = "${module_name}/" $config_file_mode = '0440' $config_dir_mode = '0550' case $facts['os']['family'] { 'Debian': { case $facts['os']['name'] { 'Ubuntu': { - $content = "${content_base}sudoers.ubuntu.erb" + $content = "${content_base}sudoers.ubuntu.erb" + $secure_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin:/snap/bin' } default: { if (versioncmp($facts['os']['release']['major'], '7') >= 0) or ($facts['os']['release']['major'] =~ /\/sid/) or ($facts['os']['release']['major'] =~ /Kali/) { $content = "${content_base}sudoers.debian.erb" + $secure_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin' } else { - $content = "${content_base}sudoers.olddebian.erb" + $content = "${content_base}sudoers.olddebian.erb" + $secure_path = undef } } } $package = 'sudo' $package_ldap = 'sudo-ldap' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $config_file_group = 'root' $config_dir_keepme = false $package_provider = '' } 'RedHat': { $package = 'sudo' # in redhat sudo package is already compiled for ldap support $package_ldap = $package # rhel 5.0 to 5.4 use sudo 1.6.9 which does not support # includedir, so we have to make sure sudo 1.7 (comes with rhel # 5.5) is installed. $package_ensure = $facts['os']['release']['full'] ? { /^5.[01234]$/ => 'latest', default => 'present', } $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content = $facts['os']['release']['full'] ? { - /^5/ => "${content_base}sudoers.rhel5.erb", - /^6/ => "${content_base}sudoers.rhel6.erb", - /^7/ => "${content_base}sudoers.rhel7.erb", - /^8/ => "${content_base}sudoers.rhel8.erb", - default => "${content_base}sudoers.rhel8.erb", + case $facts['os']['release']['full'] { + /^5/: { + $content = "${content_base}sudoers.rhel5.erb" + $secure_path = undef + } + /^6/: { + $content = "${content_base}sudoers.rhel6.erb" + $secure_path = '/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin' + } + /^7/: { + $content = "${content_base}sudoers.rhel7.erb" + $secure_path = '/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin' + } + /^8/: { + $content = "${content_base}sudoers.rhel8.erb" + $secure_path = '/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin' + } + default: { + $content = "${content_base}sudoers.rhel8.erb" + $secure_path = '/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin' + } } $config_file_group = 'root' $config_dir_keepme = false $package_provider = '' } 'Suse': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.suse.erb" + $secure_path = '/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin' $config_file_group = 'root' $config_dir_keepme = false $package_provider = '' } 'Solaris': { case $facts['os']['name'] { 'OmniOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.omnios.erb" + $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false $package_provider = '' } 'SmartOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/opt/local/etc/sudoers' $config_dir = '/opt/local/etc/sudoers.d' $content = "${content_base}sudoers.smartos.erb" + $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false $package_provider = '' } default: { case $::kernelrelease { '5.11': { $package = 'pkg://solaris/security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.solaris.erb" + $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false $package_provider = '' } '5.10': { $package = 'TCMsudo' $package_ldap = undef $package_ensure = 'present' $package_source = "http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-${facts['os']['hardware']}.pkg.gz" $package_admin_file = '/var/sadm/install/admin/puppet' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.solaris.erb" + $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false $package_provider = '' } default: { fail("Unsupported platform: ${facts['os']['family']}/${facts['os']['name']}/${::kernelrelease}") } } } } } 'FreeBSD': { $package = 'security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/usr/local/etc/sudoers' $config_dir = '/usr/local/etc/sudoers.d' $content = "${content_base}sudoers.freebsd.erb" + $secure_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin' $config_file_group = 'wheel' $config_dir_keepme = true $package_provider = '' } 'OpenBSD': { if (versioncmp($::kernelversion, '5.8') < 0) { $package = undef } else { $package = 'sudo' } $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.openbsd.erb" $config_file_group = 'wheel' $config_dir_keepme = false $package_provider = '' } 'AIX': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.27-1.aix53.rpm' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.aix.erb" + $secure_path = undef $config_file_group = 'system' $config_dir_keepme = false $package_provider = 'rpm' } 'Darwin': { $package = undef $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.darwin.erb" + $secure_path = undef $config_file_group = 'wheel' $config_dir_keepme = false $package_provider = '' } default: { case $facts['os']['name'] { 'Gentoo': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.gentoo.erb" + $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false $package_provider = '' } /^(Arch|Manjaro)(.{0}|linux)$/: { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.archlinux.erb" + $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false $package_provider = '' } 'Amazon': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content = $facts['os']['release']['full'] ? { - /^5/ => "${content_base}sudoers.rhel5.erb", - /^6/ => "${content_base}sudoers.rhel6.erb", - default => "${content_base}sudoers.rhel6.erb", + case $facts['os']['release']['full'] { + /^5/: { + $content = "${content_base}sudoers.rhel5.erb" + $secure_path = undef + } + /^6/: { + $content = "${content_base}sudoers.rhel6.erb" + $secure_path = '/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin' + } + default: { + $content = "${content_base}sudoers.rhel6.erb" + $secure_path = '/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin' + } } $config_file_group = 'root' $config_dir_keepme = false $package_provider = '' } default: { fail("Unsupported platform: ${facts['os']['family']}/${facts['os']['name']}") } } $package_source = '' $package_admin_file = '' } } } diff --git a/spec/classes/sudo_spec.rb b/spec/classes/sudo_spec.rb index e7d67a4..1e7364c 100644 --- a/spec/classes/sudo_spec.rb +++ b/spec/classes/sudo_spec.rb @@ -1,257 +1,275 @@ require 'spec_helper' describe 'sudo' do let :default_params do { enable: true, package_ensure: 'present', purge: true, config_file_replace: true } end [{}, { package_ensure: 'present', purge: false, config_file_replace: false }, { package_ensure: 'latest', purge: true, config_file_replace: false }].each do |param_set| describe "when #{param_set == {} ? 'using default' : 'specifying'} class parameters" do let :param_hash do default_params.merge(param_set) end let :params do param_set end %w[Debian Redhat].each do |osfamily| let :facts do { os: { 'family' => osfamily, 'name' => osfamily, 'release' => { 'full' => '7.0', 'major' => '7', }, }, puppetversion: '3.7.0' } end describe "on supported osfamily: #{osfamily}" do it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'root', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'root', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => param_hash[:package_ensure] ) end end end describe 'on RedHat 5.4' do let :facts do { os: { 'family' => 'RedHat', 'name' => 'RedHat', 'release' => { 'full' => '5.4', 'major' => '5', }, }, puppetversion: '3.7.0' } end it do if params == {} is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => 'latest' ) else is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => param_hash[:package_ensure] ) end end end describe 'on supported osfamily: AIX' do let :facts do { os: { 'family' => 'AIX', }, puppetversion: '3.7.0' } end it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'system', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'system', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => param_hash[:package_ensure], 'package_source' => 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.27-1.aix53.rpm', 'package_provider' => 'rpm' ) end end describe 'on supported osfamily: Solaris 10' do let :facts do { os: { 'family' => 'Solaris', 'name' => 'Solaris', 'hardware' => 'i386', }, kernelrelease: '5.10', puppetversion: '3.7.0', } end it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'root', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'root', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'TCMsudo', 'package_ensure' => param_hash[:package_ensure], 'package_source' => 'http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-i386.pkg.gz', 'package_admin_file' => '/var/sadm/install/admin/puppet' ) end context 'when package is set' do let :params do { package: 'mysudo' } end it do is_expected.to contain_class('sudo::package').with( 'package' => 'mysudo' ) end end end describe 'on supported osfamily: Solaris 11' do let :facts do { os: { 'family' => 'Solaris', 'name' => 'Solaris', }, kernelrelease: '5.11', puppetversion: '3.7.0' } end it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'root', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'root', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'pkg://solaris/security/sudo', 'package_ensure' => param_hash[:package_ensure] ) end end end end + + describe 'on osfamily Debian' do + let :facts do + { + os: { + 'family' => 'Debian', + 'name' => 'Debian', + 'release' => { + 'full' => '7.0', + 'major' => '7', + }, + }, + puppetversion: '3.7.0' + } + end + + it { is_expected.to contain_file('/etc/sudoers').with_content(%r{^Defaults\ssecure_path="\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/opt\/puppetlabs\/bin"$}) } + end end diff --git a/templates/sudoers.debian.erb b/templates/sudoers.debian.erb index 9b11ecf..b66e8a8 100644 --- a/templates/sudoers.debian.erb +++ b/templates/sudoers.debian.erb @@ -1,31 +1,31 @@ # file managed by puppet (unless config_file_replace=false) # Defaults env_reset Defaults mail_badpass -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin" +Defaults secure_path="<%= @secure_path %>" <% if @use_sudoreplay %> Defaults log_output Defaults!/usr/bin/sudoreplay !log_output <% if @sudoreplay_discard %> <% @sudoreplay_discard.each do |command| -%> Defaults!<%= command %> !log_output <% end -%> <% end -%> <% end -%> # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir <%= @config_dir %> <% @extra_include_dirs.each do |include_dir| -%> #includedir <%= include_dir %> <% end if @extra_include_dirs -%> diff --git a/templates/sudoers.freebsd.erb b/templates/sudoers.freebsd.erb index 02847e1..2be9e5b 100644 --- a/templates/sudoers.freebsd.erb +++ b/templates/sudoers.freebsd.erb @@ -1,122 +1,122 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top # Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff ## ## Defaults specification ## ## Uncomment if needed to preserve environmental variables related to the ## FreeBSD pkg utility and fetch. # Defaults env_keep += "PKG_CACHEDIR PKG_DBDIR FTP_PASSIVE_MODE" ## ## Additionally uncomment if needed to preserve environmental variables ## related to portupgrade # Defaults env_keep += "PORTSDIR PORTS_INDEX PORTS_DBDIR PACKAGES PKGTOOLS_CONF" ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to use a hard-coded PATH instead of the user's to find commands -# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin" +# Defaults secure_path="<%= @secure_path %>" ## ## Uncomment to send mail if the user does not enter the correct password. # Defaults mail_badpass ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output <% if @use_sudoreplay %> Defaults log_output Defaults!/usr/local/bin/sudoreplay !log_output <% if @sudoreplay_discard %> <% @sudoreplay_discard.each do |command| -%> Defaults!<%= command %> !log_output <% end -%> <% end -%> <% end -%> ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL <% if @wheel_config == 'password' %> ## Uncomment to allow members of group wheel to execute any command %wheel ALL=(ALL) ALL <% elsif @wheel_config == 'nopassword' %> ## Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL <% end %> ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' ## Read drop-in files ## (the '#' here does not indicate a comment) #includedir <%= @config_dir %> <% @extra_include_dirs.each do |include_dir| -%> #includedir <%= include_dir %> <% end if @extra_include_dirs -%> diff --git a/templates/sudoers.rhel6.erb b/templates/sudoers.rhel6.erb index e6a0c8e..c6ed245 100644 --- a/templates/sudoers.rhel6.erb +++ b/templates/sudoers.rhel6.erb @@ -1,125 +1,125 @@ # file managed by puppet (unless config_file_replace=false) # ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" <% if @use_sudoreplay %> Defaults log_output Defaults!/usr/bin/sudoreplay !log_output <% if @sudoreplay_discard %> <% @sudoreplay_discard.each do |command| -%> Defaults!<%= command %> !log_output <% end -%> <% end -%> <% end -%> # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +Defaults secure_path = <%= @secure_path %> ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS <% if @wheel_config == 'password' %> ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL <% elsif @wheel_config == 'nopassword' %> ## Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL <% end %> ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files #includedir <%= @config_dir %> <% @extra_include_dirs.each do |include_dir| -%> #includedir <%= include_dir %> <% end if @extra_include_dirs -%> diff --git a/templates/sudoers.rhel7.erb b/templates/sudoers.rhel7.erb index c70f300..ae41f62 100644 --- a/templates/sudoers.rhel7.erb +++ b/templates/sudoers.rhel7.erb @@ -1,128 +1,128 @@ # file managed by puppet (unless config_file_replace=false) # ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" <% if @use_sudoreplay %> Defaults log_output Defaults!/usr/bin/sudoreplay !log_output <% if @sudoreplay_discard %> <% @sudoreplay_discard.each do |command| -%> Defaults!<%= command %> !log_output <% end -%> <% end -%> <% end -%> # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin +Defaults secure_path = <%= @secure_path %> ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS <% if @wheel_config == 'password' %> ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL <% elsif @wheel_config == 'nopassword' %> ## Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL <% end %> ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir <%= @config_dir %> <% @extra_include_dirs.each do |include_dir| -%> #includedir <%= include_dir %> <% end if @extra_include_dirs -%> diff --git a/templates/sudoers.rhel8.erb b/templates/sudoers.rhel8.erb index 93e316c..d8057ce 100644 --- a/templates/sudoers.rhel8.erb +++ b/templates/sudoers.rhel8.erb @@ -1,137 +1,137 @@ # file managed by puppet (unless config_file_replace=false) # ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Refuse to run if unable to disable echo on the tty. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults match_group_by_gid # Prior to version 1.8.15, groups listed in sudoers that were not # found in the system group database were passed to the group # plugin, if any. Starting with 1.8.15, only groups of the form # %:group are resolved via the group plugin by default. # We enable always_query_group_plugin to restore old behavior. # Disable this option for new behavior. Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" <% if @use_sudoreplay %> Defaults log_output Defaults!/usr/bin/sudoreplay !log_output <% if @sudoreplay_discard %> <% @sudoreplay_discard.each do |command| -%> Defaults!<%= command %> !log_output <% end -%> <% end -%> <% end -%> # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin +Defaults secure_path = <%= @secure_path %> ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS <% if @wheel_config == 'password' %> ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL <% elsif @wheel_config == 'nopassword' %> ## Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL <% end %> ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir <%= @config_dir %> <% @extra_include_dirs.each do |include_dir| -%> #includedir <%= include_dir %> <% end if @extra_include_dirs -%> diff --git a/templates/sudoers.suse.erb b/templates/sudoers.suse.erb index 701f3ea..d8c1f4f 100644 --- a/templates/sudoers.suse.erb +++ b/templates/sudoers.suse.erb @@ -1,100 +1,100 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## Prevent environment variables from influencing programs in an ## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) Defaults always_set_home ## Path that will be used for every command run from sudo -Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin" +Defaults secure_path="<%= @secure_path %>" Defaults env_reset ## Change env_reset to !env_reset in previous line to keep all environment variables ## Following list will no longer be necessary after this change Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" ## Comment out the preceding line and uncomment the following one if you need ## to use special input methods. This may allow users to compromise the root ## account if they are allowed to run commands without authentication. #Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## Do not insult users when they enter an incorrect password. Defaults !insults ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output <% if @use_sudoreplay %> Defaults log_output Defaults!/usr/bin/sudoreplay !log_output <% if @sudoreplay_discard %> <% @sudoreplay_discard.each do |command| -%> Defaults!<%= command %> !log_output <% end -%> <% end -%> <% end -%> ## In the default (unconfigured) configuration, sudo asks for the root password. ## This allows use of an ordinary user account for administration of a freshly ## installed system. When configuring sudo, delete the two ## following lines: #Defaults targetpw # ask for the password of the target user i.e. root #ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL <% if @wheel_config == 'password' %> ## Uncomment to allow members of group wheel to execute any command %wheel ALL=(ALL) ALL <% elsif @wheel_config == 'nopassword' %> ## Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL <% end %> ## Read drop-in files ## (the '#' here does not indicate a comment) #includedir <%= @config_dir %> <% @extra_include_dirs.each do |include_dir| -%> #includedir <%= include_dir %> <% end if @extra_include_dirs -%> diff --git a/templates/sudoers.ubuntu.erb b/templates/sudoers.ubuntu.erb index c214785..fe953dc 100644 --- a/templates/sudoers.ubuntu.erb +++ b/templates/sudoers.ubuntu.erb @@ -1,44 +1,44 @@ # file managed by puppet (unless config_file_replace=false) # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin:/snap/bin" +Defaults secure_path="<%= @secure_path %>" <% if @use_sudoreplay %> Defaults log_output Defaults!/usr/bin/sudoreplay !log_output <% if @sudoreplay_discard %> <% @sudoreplay_discard.each do |command| -%> Defaults!<%= command %> !log_output <% end -%> <% end -%> <% end -%> # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir <%= @config_dir %> <% @extra_include_dirs.each do |include_dir| -%> #includedir <%= include_dir %> <% end if @extra_include_dirs -%>