diff --git a/README.md b/README.md index c864dec..63cac68 100644 --- a/README.md +++ b/README.md @@ -1,220 +1,221 @@ # puppet-sudo [![Build Status](https://secure.travis-ci.org/saz/puppet-sudo.png)](http://travis-ci.org/saz/puppet-sudo) https://github.com/saz/puppet-sudo Manage sudo configuration via Puppet ### Supported OS Some family and some specific os are supported by this module * debian osfamily (debian, ubuntu, kali, ...) * redhat osfamily (redhat, centos, fedora, ...) * suse osfamily (suse, opensuse, ...) * solaris osfamily (Solaris, OmniOS, SmartOS, ...) * freebsd osfamily * openbsd osfamily * aix osfamily * darwin osfamily * gentoo operating system * archlinux operating system * amazon operating system ### Gittip [![Support via Gittip](https://rawgithub.com/twolfson/gittip-badge/0.2.0/dist/gittip.png)](https://www.gittip.com/saz/) ## Usage ### WARNING **This module will purge your current sudo config** If this is not what you're expecting, set `purge` and/or `config_file_replace` to **false** ### Install sudo with default sudoers #### Purge current sudo config ```puppet class { 'sudo': } ``` #### Purge sudoers.d directory, but leave sudoers file as it is ```puppet class { 'sudo': config_file_replace => false, } ``` #### Leave current sudo config as it is ```puppet class { 'sudo': purge => false, config_file_replace => false, } ``` #### Use LDAP along with sudo Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include [puppet portage module by Gentoo](https://forge.puppetlabs.com/gentoo/portage). If not present, only a notification will be shown. ```puppet class { 'sudo': ldap_enable => true, } ``` ### Adding sudoers configuration #### Using Code ```puppet class { 'sudo': } sudo::conf { 'web': source => 'puppet:///files/etc/sudoers.d/web', } sudo::conf { 'admins': priority => 10, content => "%admins ALL=(ALL) NOPASSWD: ALL", } sudo::conf { 'joe': priority => 60, source => 'puppet:///files/etc/sudoers.d/users/joe', } ``` #### Using Hiera A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings. Examples using: - YAML backend - an environment called __production__ - a __/etc/puppet/hiera.yaml__ hierarchy configuration: ```yaml :hierarchy: - "%{environment}" - "defaults" ``` ##### Load module ###### Using Puppet version 3+ Load the module via Puppet Code or your ENC. ```puppet include sudo ``` ###### Using Puppet version 2.7+ After [Installing Hiera](http://docs.puppetlabs.com/hiera/1/installing.html): - Load the `sudo` and `sudo::configs` modules via Puppet Code or your ENC. ```puppet include sudo include sudo::configs ``` ##### Configure Hiera YAML __(defaults.yaml)__ These defaults will apply to all systems. ```yaml sudo::configs: 'web': 'source' : 'puppet:///files/etc/sudoers.d/web' 'admins': 'content' : "%admins ALL=(ALL) NOPASSWD: ALL" 'priority' : 10 'joe': 'priority' : 60 'source' : 'puppet:///files/etc/sudoers.d/users/joe' ``` ##### Configure Hiera YAML __(production.yaml)__ This will only apply to the production environment. In this example we are: - inheriting/preserving the __web__ configuration - overriding the __admins__ configuration - removing the __joe__ configuration - adding the __bill__ template ```yaml sudo::configs: 'admins': 'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL" 'priority' : 10 'joe': 'ensure' : 'absent' 'source' : 'puppet:///files/etc/sudoers.d/users/joe' 'bill': 'template' : "mymodule/bill.erb" ``` If you have Hiera version >= 1.2.0 and enable [Hiera Deeper Merging](http://docs.puppetlabs.com/hiera/1/lookup_types.html#deep-merging-in-hiera--120) you may conditionally override any setting. In this example we are: - inheriting/preserving the __web__ configuration - overriding the __admins:content__ setting - inheriting/preserving the __admins:priority__ setting - inheriting/preserving the __joe:source__ and __joe:priority__ settings - removing the __joe__ configuration - adding the __bill__ template ```yaml sudo::configs: 'admins': 'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL" 'joe': 'ensure' : 'absent' 'bill': 'template' : "mymodule/bill.erb" ``` ##### Set a custom name for the sudoers file In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the ```sudo_file_name``` option to manually set the desired file name. ```puppet sudo::conf { "foreman-proxy": ensure => "present", source => "puppet:///modules/sudo/foreman-proxy", sudo_file_name => "foreman-proxy", } ``` ### sudo::conf / sudo::configs notes * One of content or source must be set. * Content may be an array, string will be added with return carriage after each element. * In order to properly pass a template() use template instead of content, as hiera would run template function otherwise. ## sudo class parameters | Parameter | Type | Default | Description | | :-------------- | :------ |:----------- | :---------- | | enable | boolean | true | Set this to remove or purge all sudoers configs | | package | string | OS specific | Set package name _(for unsupported platforms)_ | | package_ensure | string | present | latest, absent, or a specific package version | | package_source | string | OS specific | Set package source _(for unsupported platforms)_ | | purge | boolean | true | Purge unmanaged files from config_dir | | purge_ignore | string | undef | Files excluded from purging in config_dir | | config_file | string | OS specific | Set config_file _(for unsupported platforms)_ | | config_file_replace | boolean | true | Replace config file with module config file | +| includedirsudoers | boolean | OS specific | Add #includedir /etc/sudoers.d with augeas | | config_dir | string | OS specific | Set config_dir _(for unsupported platforms)_ | | source | string | OS specific | Set source _(for unsupported platforms)_ | | ldap_enable | boolean | false | Add support to LDAP | ## sudo::conf class / sudo::configs hash parameters | Parameter | Type | Default | Description | | :-------------- | :----- |:----------- | :---------- | | ensure | string | present | present or absent | | priority | number | 10 | file name prefix | | content | string | undef | content of configuration snippet | | source | string | undef | source of configuration snippet | | template | string | undef | template of configuration snippet | | sudo_config_dir | string | OS Specific | configuration snippet directory _(for unsupported platforms)_ | | sudo_file_name | string | undef | custom file name for sudo file in sudoers directory | diff --git a/manifests/init.pp b/manifests/init.pp index 47983d9..3a83be8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,184 +1,189 @@ # Class: sudo # # This module manages sudo # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*package*] # Name of the package. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*package_ensure*] # Allows you to ensure a particular version of a package # Default: present / lastest for RHEL < 5.5 # # [*package_source*] # Where to find the package. Only set this on AIX (required) and # Solaris (required) or if your platform is not supported or you # know, what you're doing. # # The default for aix is the perzl sudo package. For solaris 10 we # use the official www.sudo.ws binary package. # # Default: AIX: perzl.org # Solaris: www.sudo.ws # # [*package_admin_file*] # Where to find a Solaris 10 package admin file for # an unattended installation. We do not supply a default file, so # this has to be staged separately # # Only set this on Solaris 10 (required) # Default: /var/sadm/install/admin/puppet # # [*purge*] # Whether or not to purge sudoers.d directory # Default: true # # [*purge_ignore*] # Files to exclude from purging in sudoers.d directory # Default: undef # # [*config_file*] # Main configuration file. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*config_file_replace*] # Replace configuration file with that one delivered with this module # Default: true # +# [*includedirsudoers*] +# Add #includedir /etc/sudoers.d to the end of sudoers, if not config_file_replace +# Default: true if RedHat 5.x +# # [*config_dir*] # Main configuration directory # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*source*] # Alternate source file location # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*ldap_enable*] # Enable ldap support on the package # Default: false # # Actions: # Installs sudo package and checks the state of sudoers file and # sudoers.d directory. # # Requires: # Nothing # # Sample Usage: # class { 'sudo': } # # [Remember: No empty lines between comments and class definition] class sudo( $enable = true, $package_default = $sudo::params::package, $package_ldap = $sudo::params::package_ldap, $package_ensure = $sudo::params::package_ensure, $package_source = $sudo::params::package_source, $package_admin_file = $sudo::params::package_admin_file, $purge = true, $purge_ignore = undef, $config_file = $sudo::params::config_file, $config_file_replace = true, + $includedirsudoers = $sudo::params::includedirsudoers, $config_dir = $sudo::params::config_dir, $source = $sudo::params::source, $ldap_enable = false, ) inherits sudo::params { validate_bool($enable) case $enable { true: { $dir_ensure = 'directory' $file_ensure = 'present' } false: { $dir_ensure = 'absent' $file_ensure = 'absent' } default: { fail('no $enable is set') } } validate_bool($ldap_enable) case $ldap_enable { true: { if $package_ldap == undef { fail('on your os ldap support for sudo is not yet supported') } $package = $package_ldap } false: { $package = $package_default } default: { fail('no $ldap_enable is set') } } class { '::sudo::package': package => $package, package_ensure => $package_ensure, package_source => $package_source, package_admin_file => $package_admin_file, ldap_enable => $ldap_enable, } file { $config_file: ensure => $file_ensure, owner => 'root', group => $sudo::params::config_file_group, mode => '0440', replace => $config_file_replace, source => $source, require => Class['sudo::package'], } file { $config_dir: ensure => $dir_ensure, owner => 'root', group => $sudo::params::config_file_group, mode => '0550', recurse => $purge, purge => $purge, ignore => $purge_ignore, require => Class['sudo::package'], } - if $config_file_replace == false and $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '5' { + if $config_file_replace == false and $includedirsudoers { augeas { 'includedirsudoers': changes => ['set /files/etc/sudoers/#includedir /etc/sudoers.d'], incl => $config_file, lens => 'Sudoers.lns', } } # Load the Hiera based sudoer configuration (if enabled and present) # # NOTE: We must use 'include' here to avoid circular dependencies with # sudo::conf # # NOTE: There is no way to detect the existence of hiera. This automatic # functionality is therefore made exclusive to Puppet 3+ (hiera is embedded) # in order to preserve backwards compatibility. # # http://projects.puppetlabs.com/issues/12345 # if (versioncmp($::puppetversion, '3') != -1) { include '::sudo::configs' } anchor { 'sudo::begin': } -> Class['sudo::package'] -> anchor { 'sudo::end': } } diff --git a/manifests/params.pp b/manifests/params.pp index 5c4bec2..584d7a4 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,200 +1,215 @@ #class sudo::params #Set the paramters for the sudo module class sudo::params { $source_base = "puppet:///modules/${module_name}/" case $::osfamily { 'Debian': { case $::operatingsystem { 'Ubuntu': { $source = "${source_base}sudoers.ubuntu" } default: { if (versioncmp($::operatingsystemmajrelease, '7') >= 0) or ($::operatingsystemmajrelease =~ /\/sid/) or ($::operatingsystemmajrelease =~ /Kali/) { $source = "${source_base}sudoers.debian" } else { $source = "${source_base}sudoers.olddebian" } } } $package = 'sudo' $package_ldap = 'sudo-ldap' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' + $includedirsudoers = false $config_dir = '/etc/sudoers.d/' $config_file_group = 'root' } 'RedHat': { $package = 'sudo' # in redhat sudo package is already compiled for ldap support $package_ldap = $package # rhel 5.0 to 5.4 use sudo 1.6.9 which does not support # includedir, so we have to make sure sudo 1.7 (comes with rhel # 5.5) is installed. $package_ensure = $::operatingsystemrelease ? { /^5.[01234]/ => 'latest', default => 'present', } $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' + $includedirsudoers = $::operatingsystemmajrelease ? { + '5' => true, + default => false, + } $config_dir = '/etc/sudoers.d/' $source = $::operatingsystemrelease ? { /^5/ => "${source_base}sudoers.rhel5", /^6/ => "${source_base}sudoers.rhel6", /^7/ => "${source_base}sudoers.rhel7", default => "${source_base}sudoers.rhel6", } $config_file_group = 'root' } 'Suse': { $package = 'sudo' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' + $includedirsudoers = false $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.suse" $config_file_group = 'root' } 'Solaris': { case $::operatingsystem { 'OmniOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' + $includedirsudoers = false $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.omnios" $config_file_group = 'root' } 'SmartOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/opt/local/etc/sudoers' $config_dir = '/opt/local/etc/sudoers.d/' $source = "${source_base}sudoers.smartos" $config_file_group = 'root' } default: { case $::kernelrelease { '5.11': { $package = 'pkg://solaris/security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' + $includedirsudoers = false $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.solaris" $config_file_group = 'root' } '5.10': { $package = 'TCMsudo' $package_ldap = undef $package_ensure = 'present' $package_source = "http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-${::hardwareisa}.pkg.gz" $package_admin_file = '/var/sadm/install/admin/puppet' $config_file = '/etc/sudoers' + $includedirsudoers = false $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.solaris" $config_file_group = 'root' } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}/${::kernelrelease}") } } } } } 'FreeBSD': { $package = 'security/sudo' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/usr/local/etc/sudoers' + $includedirsudoers = false $config_dir = '/usr/local/etc/sudoers.d/' $source = "${source_base}sudoers.freebsd" $config_file_group = 'wheel' } 'OpenBSD': { $package = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' + $includedirsudoers = false $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.openbsd" $config_file_group = 'wheel' } 'AIX': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm' $package_admin_file = '' $config_file = '/etc/sudoers' + $includedirsudoers = false $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.aix" $config_file_group = 'system' } 'Darwin': { $package = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.darwin" $config_file_group = 'wheel' } default: { case $::operatingsystem { 'Gentoo': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' + $includedirsudoers = false $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.gentoo" $config_file_group = 'root' } 'Archlinux': { $package = 'sudo' $package_ensure = 'present' $config_file = '/etc/sudoers' + $includedirsudoers = false $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.archlinux" $config_file_group = 'root' } 'Amazon': { $package = 'sudo' $package_ensure = 'present' $config_file = '/etc/sudoers' + $includedirsudoers = false $config_dir = '/etc/sudoers.d/' $source = $::operatingsystemrelease ? { /^5/ => "${source_base}sudoers.rhel5", /^6/ => "${source_base}sudoers.rhel6", default => "${source_base}sudoers.rhel6", } $config_file_group = 'root' } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") } } $package_source = '' $package_admin_file = '' } } }