diff --git a/.bundle/config b/.bundle/config deleted file mode 100644 index d58b21d..0000000 --- a/.bundle/config +++ /dev/null @@ -1,4 +0,0 @@ ---- -BUNDLE_WITHOUT: system_tests:development -BUNDLE_PATH: vendor/bundle -BUNDLE_DISABLE_SHARED_GEMS: true diff --git a/.gitignore b/.gitignore index 79a5f79..5caea85 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,13 @@ -pkg/ -*.swp -spec/fixtures/ -.vagrant/ -vendor/ -Gemfile.lock +.*.sw? +/pkg +/spec/fixtures/manifests +/spec/fixtures/modules +/.rspec_system +/.vagrant +/.bundle +/vendor +/Gemfile.lock +/junit +/log +.yardoc +coverage diff --git a/.pmtignore b/.pmtignore new file mode 100644 index 0000000..fb58957 --- /dev/null +++ b/.pmtignore @@ -0,0 +1,20 @@ +docs/ +pkg/ +Gemfile.lock +Gemfile.local +vendor/ +.vendor/ +spec/fixtures/manifests/ +spec/fixtures/modules/ +.vagrant/ +.bundle/ +.ruby-version +coverage/ +log/ +.idea/ +.dependencies/ +.librarian/ +Puppetfile.lock +*.iml +.*.sw? +.yardoc/ diff --git a/.rubocop.yml b/.rubocop.yml index f005b25..21617ba 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,506 +1,517 @@ require: rubocop-rspec AllCops: - TargetRubyVersion: 1.9 + TargetRubyVersion: 2.2 Include: - ./**/*.rb Exclude: + - files/**/* - vendor/**/* - .vendor/**/* - pkg/**/* - spec/fixtures/**/* + - Gemfile + - Rakefile Lint/ConditionPosition: Enabled: true Lint/ElseLayout: Enabled: true Lint/UnreachableCode: Enabled: true Lint/UselessComparison: Enabled: true Lint/EnsureReturn: Enabled: true Lint/HandleExceptions: Enabled: true -Lint/LiteralInCondition: - Enabled: true - Lint/ShadowingOuterLocalVariable: Enabled: true Lint/LiteralInInterpolation: Enabled: true Style/HashSyntax: Enabled: false Style/RedundantReturn: Enabled: true Lint/AmbiguousOperator: Enabled: true Lint/AssignmentInCondition: Enabled: true -Style/SpaceBeforeComment: +Layout/SpaceBeforeComment: Enabled: true Style/AndOr: Enabled: true Style/RedundantSelf: Enabled: true # Method length is not necessarily an indicator of code quality Metrics/MethodLength: Enabled: false # Module length is not necessarily an indicator of code quality Metrics/ModuleLength: Enabled: false Style/WhileUntilModifier: Enabled: true Lint/AmbiguousRegexpLiteral: Enabled: true -Lint/Eval: +Security/Eval: Enabled: true Lint/BlockAlignment: Enabled: true Lint/DefEndAlignment: Enabled: true Lint/EndAlignment: Enabled: true Lint/DeprecatedClassMethods: Enabled: true Lint/Loop: Enabled: true Lint/ParenthesesAsGroupedExpression: Enabled: true Lint/RescueException: Enabled: true Lint/StringConversionInInterpolation: Enabled: true Lint/UnusedBlockArgument: Enabled: true Lint/UnusedMethodArgument: Enabled: true Lint/UselessAccessModifier: Enabled: true Lint/UselessAssignment: Enabled: true Lint/Void: Enabled: true -Style/AccessModifierIndentation: +Layout/AccessModifierIndentation: Enabled: true -Style/AccessorMethodName: +Naming/AccessorMethodName: Enabled: true Style/Alias: Enabled: true -Style/AlignArray: +Layout/AlignArray: Enabled: true -Style/AlignHash: +Layout/AlignHash: Enabled: true -Style/AlignParameters: +Layout/AlignParameters: Enabled: true Metrics/BlockNesting: Enabled: true Style/AsciiComments: Enabled: true Style/Attr: Enabled: true Style/BracesAroundHashParameters: Enabled: true Style/CaseEquality: Enabled: true -Style/CaseIndentation: +Layout/CaseIndentation: Enabled: true Style/CharacterLiteral: Enabled: true -Style/ClassAndModuleCamelCase: +Naming/ClassAndModuleCamelCase: Enabled: true Style/ClassAndModuleChildren: Enabled: false Style/ClassCheck: Enabled: true # Class length is not necessarily an indicator of code quality Metrics/ClassLength: Enabled: false Style/ClassMethods: Enabled: true Style/ClassVars: Enabled: true Style/WhenThen: Enabled: true Style/WordArray: Enabled: true Style/UnneededPercentQ: Enabled: true -Style/Tab: - Enabled: true - -Style/SpaceBeforeSemicolon: +Layout/Tab: Enabled: true -Style/TrailingBlankLines: +Layout/SpaceBeforeSemicolon: Enabled: true -Style/SpaceInsideBlockBraces: +Layout/TrailingBlankLines: Enabled: true -Style/SpaceInsideBrackets: +Layout/SpaceInsideBlockBraces: Enabled: true -Style/SpaceInsideHashLiteralBraces: +Layout/SpaceInsideHashLiteralBraces: Enabled: true -Style/SpaceInsideParens: +Layout/SpaceInsideParens: Enabled: true -Style/LeadingCommentSpace: +Layout/LeadingCommentSpace: Enabled: true -Style/SpaceBeforeFirstArg: +Layout/SpaceBeforeFirstArg: Enabled: true -Style/SpaceAfterColon: +Layout/SpaceAfterColon: Enabled: true -Style/SpaceAfterComma: +Layout/SpaceAfterComma: Enabled: true -Style/SpaceAfterMethodName: +Layout/SpaceAfterMethodName: Enabled: true -Style/SpaceAfterNot: +Layout/SpaceAfterNot: Enabled: true -Style/SpaceAfterSemicolon: +Layout/SpaceAfterSemicolon: Enabled: true -Style/SpaceAroundEqualsInParameterDefault: +Layout/SpaceAroundEqualsInParameterDefault: Enabled: true -Style/SpaceAroundOperators: +Layout/SpaceAroundOperators: Enabled: true -Style/SpaceBeforeBlockBraces: +Layout/SpaceBeforeBlockBraces: Enabled: true -Style/SpaceBeforeComma: +Layout/SpaceBeforeComma: Enabled: true Style/CollectionMethods: Enabled: true -Style/CommentIndentation: +Layout/CommentIndentation: Enabled: true Style/ColonMethodCall: Enabled: true Style/CommentAnnotation: Enabled: true # 'Complexity' is very relative Metrics/CyclomaticComplexity: Enabled: false -Style/ConstantName: +Naming/ConstantName: Enabled: true Style/Documentation: Enabled: false Style/DefWithParentheses: Enabled: true Style/PreferredHashMethods: Enabled: true -Style/DotPosition: +Layout/DotPosition: EnforcedStyle: trailing Style/DoubleNegation: Enabled: true Style/EachWithObject: Enabled: true -Style/EmptyLineBetweenDefs: +Layout/EmptyLineBetweenDefs: Enabled: true -Style/IndentArray: +Layout/IndentArray: Enabled: true -Style/IndentHash: +Layout/IndentHash: Enabled: true -Style/IndentationConsistency: +Layout/IndentationConsistency: Enabled: true -Style/IndentationWidth: +Layout/IndentationWidth: Enabled: true -Style/EmptyLines: +Layout/EmptyLines: Enabled: true -Style/EmptyLinesAroundAccessModifier: +Layout/EmptyLinesAroundAccessModifier: Enabled: true Style/EmptyLiteral: Enabled: true # Configuration parameters: AllowURI, URISchemes. Metrics/LineLength: Enabled: false -Style/MethodCallParentheses: - Enabled: true - Style/MethodDefParentheses: Enabled: true Style/LineEndConcatenation: Enabled: true -Style/TrailingWhitespace: +Layout/TrailingWhitespace: Enabled: true Style/StringLiterals: Enabled: true Style/TrailingCommaInArguments: Enabled: true -Style/TrailingCommaInLiteral: +Style/TrailingCommaInHashLiteral: + Enabled: true + +Style/TrailingCommaInArrayLiteral: Enabled: true Style/GlobalVars: Enabled: true Style/GuardClause: Enabled: true Style/IfUnlessModifier: Enabled: true Style/MultilineIfThen: Enabled: true Style/NegatedIf: Enabled: true Style/NegatedWhile: Enabled: true Style/Next: Enabled: true Style/SingleLineBlockParams: Enabled: true Style/SingleLineMethods: Enabled: true Style/SpecialGlobalVars: Enabled: true Style/TrivialAccessors: Enabled: true Style/UnlessElse: Enabled: true Style/VariableInterpolation: Enabled: true -Style/VariableName: +Naming/VariableName: Enabled: true Style/WhileUntilDo: Enabled: true Style/EvenOdd: Enabled: true -Style/FileName: +Naming/FileName: Enabled: true Style/For: Enabled: true Style/Lambda: Enabled: true -Style/MethodName: +Naming/MethodName: Enabled: true Style/MultilineTernaryOperator: Enabled: true Style/NestedTernaryOperator: Enabled: true Style/NilComparison: Enabled: true Style/FormatString: Enabled: true Style/MultilineBlockChain: Enabled: true Style/Semicolon: Enabled: true Style/SignalException: Enabled: true Style/NonNilCheck: Enabled: true Style/Not: Enabled: true Style/NumericLiterals: Enabled: true Style/OneLineConditional: Enabled: true -Style/OpMethod: +Naming/BinaryOperatorParameterName: Enabled: true Style/ParenthesesAroundCondition: Enabled: true Style/PercentLiteralDelimiters: Enabled: true Style/PerlBackrefs: Enabled: true -Style/PredicateName: +Naming/PredicateName: Enabled: true Style/RedundantException: Enabled: true Style/SelfAssignment: Enabled: true Style/Proc: Enabled: true Style/RaiseArgs: Enabled: true Style/RedundantBegin: Enabled: true Style/RescueModifier: Enabled: true # based on https://github.com/voxpupuli/modulesync_config/issues/168 Style/RegexpLiteral: EnforcedStyle: percent_r Enabled: true Lint/UnderscorePrefixedVariableName: Enabled: true Metrics/ParameterLists: Enabled: false Lint/RequireParentheses: Enabled: true -Style/SpaceBeforeFirstArg: +Layout/SpaceBeforeFirstArg: Enabled: true Style/ModuleFunction: Enabled: true Lint/Debugger: Enabled: true Style/IfWithSemicolon: Enabled: true Style/Encoding: Enabled: true Style/BlockDelimiters: Enabled: true -Style/MultilineBlockLayout: +Style/FormatStringToken: + Enabled: false + +Layout/MultilineBlockLayout: Enabled: true # 'Complexity' is very relative Metrics/AbcSize: Enabled: False +Metrics/BlockLength: + Enabled: False + # 'Complexity' is very relative Metrics/PerceivedComplexity: Enabled: False Lint/UselessAssignment: Enabled: true -Style/ClosingParenthesisIndentation: +Layout/ClosingParenthesisIndentation: + Enabled: false + +Metrics/BlockLength: Enabled: false # RSpec # We don't use rspec in this way RSpec/DescribeClass: Enabled: False # Example length is not necessarily an indicator of code quality RSpec/ExampleLength: Enabled: False +RSpec/NestedGroups: + Max: 4 + +RSpec/MultipleExpectations: + Max: 2 diff --git a/.travis.yml b/.travis.yml index ec0590f..7fc28f7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,44 +1,35 @@ sudo: false language: ruby cache: bundler bundler_args: --without development system_tests before_install: - bundle -v - rm Gemfile.lock || true - gem update --system - gem update bundler - gem --version - bundle -v script: - bundle exec rake $CHECK matrix: fast_finish: true include: - - rvm: 1.9.3 - env: PUPPET_VERSION="~> 3.0" STRICT_VARIABLES="yes" CHECK=test - - rvm: 1.9.3 - env: PUPPET_VERSION="~> 3.0" STRICT_VARIABLES="yes" FUTURE_PARSER="yes" CHECK=test - - rvm: 2.1 - env: PUPPET_VERSION="~> 3.0" STRICT_VARIABLES="yes" CHECK=test - rvm: 2.1 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test - rvm: 2.2 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test - - rvm: 2.3.1 - env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=build - rvm: 2.3.1 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=rubocop - rvm: 2.3.1 - env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test FORGEDEPLOY=true + env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=build FORGEDEPLOY=true notifications: email: false deploy: provider: puppetforge user: saz password: secure: KREyzEFK9Xa72gtqYv2iI1AScrM9eh9fwZgYz/83uH/spHAxlgx2K4ISjiM8WN4drrBXhZ+JgYRsIGE0TGHW1p35P1P0loNniwhKn0ghU6wEP80t0c/FP6G+qYnBwFbkDMOumtxJ/LB73zXxwDdxBPeATLwzz3cPLUYel6PeqI8= on: tags: true all_branches: true - rvm: 2.3.1 condition: "$FORGEDEPLOY = true" diff --git a/README.md b/README.md index 63cac68..5c5fd4a 100644 --- a/README.md +++ b/README.md @@ -1,221 +1,225 @@ # puppet-sudo [![Build Status](https://secure.travis-ci.org/saz/puppet-sudo.png)](http://travis-ci.org/saz/puppet-sudo) https://github.com/saz/puppet-sudo Manage sudo configuration via Puppet +### Supported Puppet versions +* Puppet >= 4 +* Last version supporting Puppet 3: v4.2.0 + ### Supported OS Some family and some specific os are supported by this module * debian osfamily (debian, ubuntu, kali, ...) * redhat osfamily (redhat, centos, fedora, ...) * suse osfamily (suse, opensuse, ...) * solaris osfamily (Solaris, OmniOS, SmartOS, ...) * freebsd osfamily * openbsd osfamily * aix osfamily * darwin osfamily * gentoo operating system * archlinux operating system * amazon operating system ### Gittip [![Support via Gittip](https://rawgithub.com/twolfson/gittip-badge/0.2.0/dist/gittip.png)](https://www.gittip.com/saz/) ## Usage ### WARNING **This module will purge your current sudo config** If this is not what you're expecting, set `purge` and/or `config_file_replace` to **false** ### Install sudo with default sudoers #### Purge current sudo config ```puppet class { 'sudo': } ``` #### Purge sudoers.d directory, but leave sudoers file as it is ```puppet class { 'sudo': config_file_replace => false, } ``` #### Leave current sudo config as it is ```puppet class { 'sudo': purge => false, config_file_replace => false, } ``` #### Use LDAP along with sudo Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include [puppet portage module by Gentoo](https://forge.puppetlabs.com/gentoo/portage). If not present, only a notification will be shown. ```puppet class { 'sudo': ldap_enable => true, } ``` ### Adding sudoers configuration #### Using Code ```puppet class { 'sudo': } sudo::conf { 'web': source => 'puppet:///files/etc/sudoers.d/web', } sudo::conf { 'admins': priority => 10, content => "%admins ALL=(ALL) NOPASSWD: ALL", } sudo::conf { 'joe': priority => 60, source => 'puppet:///files/etc/sudoers.d/users/joe', } ``` #### Using Hiera A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings. Examples using: - YAML backend - an environment called __production__ - a __/etc/puppet/hiera.yaml__ hierarchy configuration: ```yaml :hierarchy: - "%{environment}" - "defaults" ``` ##### Load module ###### Using Puppet version 3+ Load the module via Puppet Code or your ENC. ```puppet include sudo ``` ###### Using Puppet version 2.7+ After [Installing Hiera](http://docs.puppetlabs.com/hiera/1/installing.html): - Load the `sudo` and `sudo::configs` modules via Puppet Code or your ENC. ```puppet include sudo include sudo::configs ``` ##### Configure Hiera YAML __(defaults.yaml)__ These defaults will apply to all systems. ```yaml sudo::configs: 'web': 'source' : 'puppet:///files/etc/sudoers.d/web' 'admins': 'content' : "%admins ALL=(ALL) NOPASSWD: ALL" 'priority' : 10 'joe': 'priority' : 60 'source' : 'puppet:///files/etc/sudoers.d/users/joe' ``` ##### Configure Hiera YAML __(production.yaml)__ This will only apply to the production environment. In this example we are: - inheriting/preserving the __web__ configuration - overriding the __admins__ configuration - removing the __joe__ configuration - adding the __bill__ template ```yaml sudo::configs: 'admins': 'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL" 'priority' : 10 'joe': 'ensure' : 'absent' 'source' : 'puppet:///files/etc/sudoers.d/users/joe' 'bill': 'template' : "mymodule/bill.erb" ``` If you have Hiera version >= 1.2.0 and enable [Hiera Deeper Merging](http://docs.puppetlabs.com/hiera/1/lookup_types.html#deep-merging-in-hiera--120) you may conditionally override any setting. In this example we are: - inheriting/preserving the __web__ configuration - overriding the __admins:content__ setting - inheriting/preserving the __admins:priority__ setting - inheriting/preserving the __joe:source__ and __joe:priority__ settings - removing the __joe__ configuration - adding the __bill__ template ```yaml sudo::configs: 'admins': 'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL" 'joe': 'ensure' : 'absent' 'bill': 'template' : "mymodule/bill.erb" ``` ##### Set a custom name for the sudoers file In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the ```sudo_file_name``` option to manually set the desired file name. ```puppet sudo::conf { "foreman-proxy": ensure => "present", source => "puppet:///modules/sudo/foreman-proxy", sudo_file_name => "foreman-proxy", } ``` ### sudo::conf / sudo::configs notes * One of content or source must be set. * Content may be an array, string will be added with return carriage after each element. * In order to properly pass a template() use template instead of content, as hiera would run template function otherwise. ## sudo class parameters | Parameter | Type | Default | Description | | :-------------- | :------ |:----------- | :---------- | | enable | boolean | true | Set this to remove or purge all sudoers configs | | package | string | OS specific | Set package name _(for unsupported platforms)_ | | package_ensure | string | present | latest, absent, or a specific package version | | package_source | string | OS specific | Set package source _(for unsupported platforms)_ | | purge | boolean | true | Purge unmanaged files from config_dir | | purge_ignore | string | undef | Files excluded from purging in config_dir | | config_file | string | OS specific | Set config_file _(for unsupported platforms)_ | | config_file_replace | boolean | true | Replace config file with module config file | | includedirsudoers | boolean | OS specific | Add #includedir /etc/sudoers.d with augeas | | config_dir | string | OS specific | Set config_dir _(for unsupported platforms)_ | -| source | string | OS specific | Set source _(for unsupported platforms)_ | +| content | string | OS specific | Alternate content file location | | ldap_enable | boolean | false | Add support to LDAP | ## sudo::conf class / sudo::configs hash parameters | Parameter | Type | Default | Description | | :-------------- | :----- |:----------- | :---------- | | ensure | string | present | present or absent | | priority | number | 10 | file name prefix | | content | string | undef | content of configuration snippet | | source | string | undef | source of configuration snippet | | template | string | undef | template of configuration snippet | | sudo_config_dir | string | OS Specific | configuration snippet directory _(for unsupported platforms)_ | | sudo_file_name | string | undef | custom file name for sudo file in sudoers directory | diff --git a/manifests/allow.pp b/manifests/allow.pp index d597f5d..fb026a1 100644 --- a/manifests/allow.pp +++ b/manifests/allow.pp @@ -1,76 +1,76 @@ # Class: sudo::allow # # This class allows you to take complete advantage of automatic parameter # lookup using a Hiera database. Providing a singleton class that accepts # arrays in the parameters makes it possible to implement specific user # or group configuration in Hiera, whereas the use of defined types is # normally restricted to Puppet manifests. # # Furthermore, having separate parameters for "add" and "replace" modes # allows you to take full advantage of inheritance in the Hiera database # while still allowing for exceptions if required. # # This class works best with Puppet 3.0 or higher. # # Parameters: # [*add_users*] # Define the set of users with sudo privileges by getting all values in # the hierarchy for this key, then flattening them into a single array # of unique values. # Default: empty array # # [*add_groups*] # Define the set of groups with sudo privileges by getting all values in # the hierarchy for this key, then flattening them into a single array # of unique values. # Default: empty array # # [*replace_users*] # Override any values specified in add_users. If you specify this value # in your manifest or Hiera database, the contents of "add_users" will # be ignored. With Hiera, a standard priority lookup is used. Note that # if replace_users is specified at ANY level of the hierarchy, then # add_users is ignored at EVERY level of the hierarchy. # Default: undef # # [*replace_groups*] # Override any values specified in add_groups. If you specify this value # in your manifest or Hiera database, the contents of "add_groups" will # be ignored. With Hiera, a standard priority lookup is used. Note that # if replace_groups is specified at ANY level of the hierarchy, then # add_groups is ignored at EVERY level of the hierarchy. # Default: undef # # Actions: # Creates file in sudoers.d that permits specific users and groups to sudo. # # Sample Usage: # class { 'sudo::allow': # add_users => ['jsmith'], # add_groups => ['wheel'], # } # # [Remember: No empty lines between comments and class definition] class sudo::allow( $add_users = [], $add_groups = [], $replace_users = undef, $replace_groups = undef ) { # TODO validate that all input is arrays if $replace_users != undef { $users = $replace_users } else { - $users = hiera_array("${module_name}::allow::add_users", $add_users) + $users = lookup("${module_name}::allow::add_users", Array, 'unique', $add_users) } if $replace_groups != undef { $groups = $replace_groups } else { - $groups = hiera_array("${module_name}::allow::add_groups", $add_groups) + $groups = lookup("${module_name}::allow::add_groups", Array, 'unique', $add_groups) } sudo::conf { 'sudo_users_groups': content => template("${module_name}/users_groups.erb"), } } diff --git a/manifests/conf.pp b/manifests/conf.pp index c726018..1e81813 100644 --- a/manifests/conf.pp +++ b/manifests/conf.pp @@ -1,123 +1,141 @@ # Define: sudo::conf # # This module manages sudo configurations # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*priority*] # Prefix file name with $priority # Default: 10 # # [*content*] # Content of configuration snippet. # Default: undef # # [*source*] # Source of configuration snippet. # Default: undef # # [*sudo_config_dir*] # Where to place configuration snippets. # Only set this, if your platform is not supported or # you know, what you're doing. # Default: auto-set, platform specific # # Actions: # Installs sudo configuration snippets # # Requires: # Class sudo # # Sample Usage: # sudo::conf { 'admins': # source => 'puppet:///files/etc/sudoers.d/admins', # } # # [Remember: No empty lines between comments and class definition] define sudo::conf( - $ensure = present, - $priority = 10, - $content = undef, - $source = undef, - $template = undef, - $sudo_config_dir = undef, - $sudo_file_name = undef + $ensure = present, + $priority = 10, + $content = undef, + $source = undef, + $template = undef, + $sudo_config_dir = undef, + $sudo_file_name = undef, + $sudo_syntax_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' ) { include ::sudo # Hack to allow the user to set the config_dir from the # sudo::config parameter, but default to $sudo::params::config_dir # if it is not provided. $sudo::params isn't included before # the parameters are loaded in. $sudo_config_dir_real = $sudo_config_dir ? { undef => $sudo::config_dir, $sudo_config_dir => $sudo_config_dir } # sudo skip file name that contain a "." $dname = regsubst($name, '\.', '-', 'G') if size("x${priority}") == 2 { $priority_real = "0${priority}" } else { $priority_real = $priority } # build current file name with path if $sudo_file_name != undef { - $cur_file = "${sudo_config_dir_real}${sudo_file_name}" + $cur_file = "${sudo_config_dir_real}/${sudo_file_name}" } else { - $cur_file = "${sudo_config_dir_real}${priority_real}_${dname}" + $cur_file = "${sudo_config_dir_real}/${priority_real}_${dname}" } # replace whitespace in file name $cur_file_real = regsubst($cur_file, '\s+', '_', 'G') Class['sudo'] -> Sudo::Conf[$name] if $::osfamily == 'RedHat' { if (versioncmp($::sudoversion, '1.7.2p1') < 0) { warning("Found sudo with version ${::sudoversion}, but at least version 1.7.2p1 is required!") } } if $content != undef { - if is_array($content) { + if $content =~ Array { $lines = join($content, "\n") - $content_real = "${lines}\n" + $content_real = "# This file is managed by Puppet; changes may be overwritten\n${lines}\n" } else { $content_real = "# This file is managed by Puppet; changes may be overwritten\n${content}\n" } } elsif $template != undef { $content_real = template($template) } else { $content_real = undef } if $ensure == 'present' { - $notify_real = Exec["sudo-syntax-check for file ${cur_file}"] + if $sudo::validate_single { + $validate_cmd_real = 'visudo -c -f %' + } else { + $validate_cmd_real = undef + } + if $sudo::delete_on_error { + $notify_real = Exec["sudo-syntax-check for file ${cur_file}"] + $delete_cmd = "( rm -f '${cur_file_real}' && exit 1)" + } else { + $notify_real = Exec["sudo-syntax-check for file ${cur_file}"] + $errormsg = "Error on global-syntax-check with file ${cur_file_real}" + $delete_cmd = "( echo '${errormsg}' && echo '#${errormsg}' >>${cur_file_real} && exit 1)" + } } else { + $delete_cmd = '' $notify_real = undef + $validate_cmd_real = undef } file { "${priority_real}_${dname}": - ensure => $ensure, - path => $cur_file_real, - owner => 'root', - group => $sudo::params::config_file_group, - mode => '0440', - source => $source, - content => $content_real, - notify => $notify_real, + ensure => $ensure, + path => $cur_file_real, + owner => 'root', + group => $sudo::params::config_file_group, + mode => $sudo::params::config_file_mode, + source => $source, + content => $content_real, + notify => $notify_real, + validate_cmd => $validate_cmd_real, } exec {"sudo-syntax-check for file ${cur_file}": - command => "visudo -c -f '${cur_file_real}' || ( rm -f '${cur_file_real}' && exit 1)", + command => "visudo -c || ${delete_cmd}", refreshonly => true, - path => ['/bin', '/sbin', '/usr/bin', '/usr/sbin', '/usr/local/sbin'], + path => $sudo_syntax_path, } + + } diff --git a/manifests/configs.pp b/manifests/configs.pp index 287764d..cbf2f82 100644 --- a/manifests/configs.pp +++ b/manifests/configs.pp @@ -1,27 +1,26 @@ # Class: sudo::configs # # This class enables support for a full hiera based sudoers configuration. # Hiera functionality is auto enabled during the initial sudo module load; # this class is not intended to be loaded directly. # # See the primary sudo module documentation for usage and examples. # class sudo::configs ( - $configs_hash = {}, + Hash $configs_hash = {}, ){ - validate_hash ( $configs_hash ) # NOTE: hiera_hash does not work as expected in a parameterized class # definition; so we call it here. # # http://docs.puppetlabs.com/hiera/1/puppet.html#limitations # https://tickets.puppetlabs.com/browse/HI-118 # - $configs = hiera_hash('sudo::configs', $configs_hash) + $configs = lookup('sudo::configs', Hash, {'strategy' => 'deep', 'merge_hash_arrays' => true}, $configs_hash) if !empty($configs) { create_resources('sudo::conf', $configs) } } diff --git a/manifests/init.pp b/manifests/init.pp index 3a83be8..f0842fc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,189 +1,200 @@ # Class: sudo # # This module manages sudo # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*package*] # Name of the package. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*package_ensure*] # Allows you to ensure a particular version of a package # Default: present / lastest for RHEL < 5.5 # # [*package_source*] # Where to find the package. Only set this on AIX (required) and # Solaris (required) or if your platform is not supported or you # know, what you're doing. # # The default for aix is the perzl sudo package. For solaris 10 we # use the official www.sudo.ws binary package. # # Default: AIX: perzl.org # Solaris: www.sudo.ws # # [*package_admin_file*] # Where to find a Solaris 10 package admin file for # an unattended installation. We do not supply a default file, so # this has to be staged separately # # Only set this on Solaris 10 (required) # Default: /var/sadm/install/admin/puppet # # [*purge*] # Whether or not to purge sudoers.d directory # Default: true # # [*purge_ignore*] # Files to exclude from purging in sudoers.d directory # Default: undef # # [*config_file*] # Main configuration file. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # -# [*config_file_replace*] -# Replace configuration file with that one delivered with this module -# Default: true -# -# [*includedirsudoers*] -# Add #includedir /etc/sudoers.d to the end of sudoers, if not config_file_replace -# Default: true if RedHat 5.x -# # [*config_dir*] -# Main configuration directory -# Only set this, if your platform is not supported or you know, -# what you're doing. +# Main directory containing sudo snippets, imported via +# includedir stanza in sudoers file # Default: auto-set, platform specific # -# [*source*] -# Alternate source file location +# [*extra_include_dirs*] +# Array of additional directories containing sudo snippets +# Default: undef +# +# [*content*] +# Alternate content file location # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*ldap_enable*] # Enable ldap support on the package # Default: false # +# [*delete_on_error*] +# True if you want that the configuration is deleted on an error +# during a complete visudo -c run. If false it will just return +# an error and will add a comment to the sudoers configuration so +# that the resource will be checked at the following run. +# Default: true +# +# [*validate_single*] +# Do a validate on the "single" file in the sudoers.d directory. +# If the validate fail the file will not be saved or changed +# if a file already exist. +# Default: false +# # Actions: # Installs sudo package and checks the state of sudoers file and # sudoers.d directory. # # Requires: # Nothing # # Sample Usage: # class { 'sudo': } # # [Remember: No empty lines between comments and class definition] -class sudo( - $enable = true, - $package_default = $sudo::params::package, - $package_ldap = $sudo::params::package_ldap, - $package_ensure = $sudo::params::package_ensure, - $package_source = $sudo::params::package_source, - $package_admin_file = $sudo::params::package_admin_file, - $purge = true, - $purge_ignore = undef, - $config_file = $sudo::params::config_file, - $config_file_replace = true, - $includedirsudoers = $sudo::params::includedirsudoers, - $config_dir = $sudo::params::config_dir, - $source = $sudo::params::source, - $ldap_enable = false, +class sudo ( + Boolean $enable = true, + Optional[String] $package = $sudo::params::package, + Optional[String] $package_ldap = $sudo::params::package_ldap, + String $package_ensure = $sudo::params::package_ensure, + Optional[String] $package_source = $sudo::params::package_source, + Optional[String] $package_admin_file = $sudo::params::package_admin_file, + Boolean $purge = true, + Optional[Variant[String, Array[String]]] $purge_ignore = undef, + String $config_file = $sudo::params::config_file, + Boolean $config_file_replace = true, + String $config_file_mode = $sudo::params::config_file_mode, + String $config_dir = $sudo::params::config_dir, + String $config_dir_mode = $sudo::params::config_dir_mode, + Optional[Array[String]] $extra_include_dirs = undef, + String $content = $sudo::params::content, + Boolean $ldap_enable = false, + Boolean $delete_on_error = true, + Boolean $validate_single = false, + Boolean $config_dir_keepme = $sudo::params::config_dir_keepme, ) inherits sudo::params { - validate_bool($enable) case $enable { true: { $dir_ensure = 'directory' $file_ensure = 'present' } false: { $dir_ensure = 'absent' $file_ensure = 'absent' } default: { fail('no $enable is set') } } - validate_bool($ldap_enable) case $ldap_enable { true: { if $package_ldap == undef { fail('on your os ldap support for sudo is not yet supported') } - $package = $package_ldap + $package_real = $package_ldap } false: { - $package = $package_default + $package_real = $package } default: { fail('no $ldap_enable is set') } } - - - class { '::sudo::package': - package => $package, - package_ensure => $package_ensure, - package_source => $package_source, - package_admin_file => $package_admin_file, - ldap_enable => $ldap_enable, + if $package_real { + class { '::sudo::package': + package => $package_real, + package_ensure => $package_ensure, + package_source => $package_source, + package_admin_file => $package_admin_file, + ldap_enable => $ldap_enable, + before => [ File[$config_file], File[$config_dir] ], + } } file { $config_file: ensure => $file_ensure, owner => 'root', group => $sudo::params::config_file_group, - mode => '0440', + mode => $config_file_mode, replace => $config_file_replace, - source => $source, - require => Class['sudo::package'], + content => template($content), } file { $config_dir: ensure => $dir_ensure, owner => 'root', group => $sudo::params::config_file_group, - mode => '0550', + mode => $config_dir_mode, recurse => $purge, purge => $purge, ignore => $purge_ignore, - require => Class['sudo::package'], } - if $config_file_replace == false and $includedirsudoers { - augeas { 'includedirsudoers': - changes => ['set /files/etc/sudoers/#includedir /etc/sudoers.d'], - incl => $config_file, - lens => 'Sudoers.lns', + if $config_dir_keepme { + file { "${config_dir}/.keep-me": + ensure => file, + owner => 'root', + group => $sudo::params::config_file_group, } } # Load the Hiera based sudoer configuration (if enabled and present) # # NOTE: We must use 'include' here to avoid circular dependencies with # sudo::conf # # NOTE: There is no way to detect the existence of hiera. This automatic # functionality is therefore made exclusive to Puppet 3+ (hiera is embedded) # in order to preserve backwards compatibility. # # http://projects.puppetlabs.com/issues/12345 # if (versioncmp($::puppetversion, '3') != -1) { include '::sudo::configs' } - - anchor { 'sudo::begin': } -> - Class['sudo::package'] -> - anchor { 'sudo::end': } + if $package_real { + anchor { 'sudo::begin': } + -> Class['sudo::package'] + -> anchor { 'sudo::end': } + } } diff --git a/manifests/params.pp b/manifests/params.pp index 709f98c..4da13b8 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,225 +1,226 @@ #class sudo::params #Set the paramters for the sudo module class sudo::params { - $source_base = "puppet:///modules/${module_name}/" + $content_base = "${module_name}/" + $config_file_mode = '0440' + $config_dir_mode = '0550' case $::osfamily { 'Debian': { case $::operatingsystem { 'Ubuntu': { - $source = "${source_base}sudoers.ubuntu" + $content = "${content_base}sudoers.ubuntu.erb" } default: { if (versioncmp($::operatingsystemmajrelease, '7') >= 0) or ($::operatingsystemmajrelease =~ /\/sid/) or ($::operatingsystemmajrelease =~ /Kali/) { - $source = "${source_base}sudoers.debian" + $content = "${content_base}sudoers.debian.erb" } else { - $source = "${source_base}sudoers.olddebian" + $content = "${content_base}sudoers.olddebian.erb" } } } $package = 'sudo' $package_ldap = 'sudo-ldap' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' + $config_dir = '/etc/sudoers.d' $config_file_group = 'root' + $config_dir_keepme = false } 'RedHat': { $package = 'sudo' # in redhat sudo package is already compiled for ldap support $package_ldap = $package # rhel 5.0 to 5.4 use sudo 1.6.9 which does not support # includedir, so we have to make sure sudo 1.7 (comes with rhel # 5.5) is installed. $package_ensure = $::operatingsystemrelease ? { - /^5.[01234]/ => 'latest', + /^5.[01234]$/ => 'latest', default => 'present', } $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = $::operatingsystemmajrelease ? { - '5' => true, - default => false, - } - $config_dir = '/etc/sudoers.d/' - $source = $::operatingsystemrelease ? { - /^5/ => "${source_base}sudoers.rhel5", - /^6/ => "${source_base}sudoers.rhel6", - /^7/ => "${source_base}sudoers.rhel7", - default => "${source_base}sudoers.rhel6", + $config_dir = '/etc/sudoers.d' + $content = $::operatingsystemrelease ? { + /^5/ => "${content_base}sudoers.rhel5.erb", + /^6/ => "${content_base}sudoers.rhel6.erb", + /^7/ => "${content_base}sudoers.rhel7.erb", + default => "${content_base}sudoers.rhel6.erb", } $config_file_group = 'root' + $config_dir_keepme = false } 'Suse': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.suse" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.suse.erb" $config_file_group = 'root' + $config_dir_keepme = false } 'Solaris': { case $::operatingsystem { 'OmniOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.omnios" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.omnios.erb" $config_file_group = 'root' + $config_dir_keepme = false } 'SmartOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/opt/local/etc/sudoers' - $config_dir = '/opt/local/etc/sudoers.d/' - $source = "${source_base}sudoers.smartos" + $config_dir = '/opt/local/etc/sudoers.d' + $content = "${content_base}sudoers.smartos.erb" $config_file_group = 'root' + $config_dir_keepme = false } default: { case $::kernelrelease { '5.11': { $package = 'pkg://solaris/security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.solaris" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.solaris.erb" $config_file_group = 'root' + $config_dir_keepme = false } '5.10': { $package = 'TCMsudo' $package_ldap = undef $package_ensure = 'present' $package_source = "http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-${::hardwareisa}.pkg.gz" $package_admin_file = '/var/sadm/install/admin/puppet' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.solaris" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.solaris.erb" $config_file_group = 'root' + $config_dir_keepme = false } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}/${::kernelrelease}") } } } } } 'FreeBSD': { $package = 'security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/usr/local/etc/sudoers' - $includedirsudoers = false - $config_dir = '/usr/local/etc/sudoers.d/' - $source = "${source_base}sudoers.freebsd" + $config_dir = '/usr/local/etc/sudoers.d' + $content = "${content_base}sudoers.freebsd.erb" $config_file_group = 'wheel' + $config_dir_keepme = true } 'OpenBSD': { if (versioncmp($::kernelversion, '5.8') < 0) { $package = undef } else { $package = 'sudo' } $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.openbsd" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.openbsd.erb" $config_file_group = 'wheel' + $config_dir_keepme = false } 'AIX': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.aix" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.aix.erb" $config_file_group = 'system' + $config_dir_keepme = false } 'Darwin': { $package = undef $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.darwin" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.darwin.erb" $config_file_group = 'wheel' + $config_dir_keepme = false } default: { case $::operatingsystem { 'Gentoo': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.gentoo" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.gentoo.erb" $config_file_group = 'root' + $config_dir_keepme = false } 'Archlinux': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.archlinux" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.archlinux.erb" $config_file_group = 'root' + $config_dir_keepme = false } 'Amazon': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = $::operatingsystemrelease ? { - /^5/ => "${source_base}sudoers.rhel5", - /^6/ => "${source_base}sudoers.rhel6", - default => "${source_base}sudoers.rhel6", + $config_dir = '/etc/sudoers.d' + $content = $::operatingsystemrelease ? { + /^5/ => "${content_base}sudoers.rhel5.erb", + /^6/ => "${content_base}sudoers.rhel6.erb", + default => "${content_base}sudoers.rhel6.erb", } $config_file_group = 'root' + $config_dir_keepme = false } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") } } $package_source = '' $package_admin_file = '' } } } diff --git a/metadata.json b/metadata.json index c1c629a..8620f7b 100644 --- a/metadata.json +++ b/metadata.json @@ -1,24 +1,64 @@ { "name": "saz-sudo", - "version": "4.1.0", + "version": "5.0.0", "author": "saz", "license": "Apache-2.0", "summary": "Manage sudo configuration via Puppet", "source": "https://github.com/saz/puppet-sudo", "project_page": "https://github.com/saz/puppet-sudo", "issues_url": "https://github.com/saz/puppet-sudo/issues", "tags": ["sudo"], "operatingsystem_support": [ { - "operatingsystem":"RedHat", - "operatingsystemrelease":[ "5.0", "6.0", "7.0" ] + "operatingsystem": "RedHat" }, { - "operatingsystem": "Ubuntu", - "operatingsystemrelease": [ "12.04", "10.04", "14.04" ] + "operatingsystem": "CentOS" + }, + { + "operatingsystem": "OracleLinux" + }, + { + "operatingsystem": "Scientific" + }, + { + "operatingsystem": "Debian" + }, + { + "operatingsystem": "Ubuntu" + }, + { + "operatingsystem": "SmartOS" + }, + { + "operatingsystem": "OmniOS" + }, + { + "operatingsystem": "FreeBSD" + }, + { + "operatingsystem": "OpenBSD" + }, + { + "operatingsystem": "AIX" + }, + { + "operatingsystem": "Darwin" + }, + { + "operatingsystem": "Gentoo" + }, + { + "operatingsystem": "Archlinux" + }, + { + "operatingsystem": "Amazon" + }, + { + "operatingsystem": "Suse" } ], "dependencies": [ - { "name": "puppetlabs/stdlib", "version_requirement": ">=2.6.0" } + { "name": "puppetlabs/stdlib", "version_requirement": ">=2.6.0 < 5.0.0" } ] } diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index 78a21bb..267bc1e 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -1,16 +1,16 @@ require 'spec_helper_acceptance' describe 'sudo class' do - context 'default parameters' do + context 'with default parameters' do # Using puppet_apply as a helper it 'works with no errors' do - pp = <<-EOS + pp = <<-PP class { 'sudo': } - EOS + PP # Run it twice and test for idempotency apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_changes => true) end end end diff --git a/spec/acceptance/sudo_conf_spec.rb b/spec/acceptance/sudo_conf_spec.rb index 9046388..a682e93 100644 --- a/spec/acceptance/sudo_conf_spec.rb +++ b/spec/acceptance/sudo_conf_spec.rb @@ -1,52 +1,52 @@ require 'spec_helper_acceptance' describe 'sudo::conf class' do - context 'default parameters' do + context 'with default parameters' do # Using puppet_apply as a helper it 'works with no errors' do - pp = <<-EOS + pp = <<-PP group { 'janedoe': ensure => present; } -> user { 'janedoe' : gid => 'janedoe', home => '/home/janedoe', shell => '/bin/bash', managehome => true, membership => minimum, } -> user { 'nosudoguy' : home => '/home/nosudoguy', shell => '/bin/bash', managehome => true, membership => minimum, } -> class {'sudo': purge => false, config_file_replace => false, } -> sudo::conf { 'janedoe_nopasswd': content => "janedoe ALL=(ALL) NOPASSWD: ALL\n" } - EOS + PP # Run it twice and test for idempotency apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) end describe command("su - janedoe -c 'sudo echo Hello World'") do its(:stdout) { is_expected.to match %r{Hello World} } its(:exit_status) { is_expected.to eq 0 } end describe command("su - nosudoguy -c 'sudo echo Hello World'") do its(:stderr) { is_expected.to match %r{no tty present and no askpass program specified} } its(:exit_status) { is_expected.to eq 1 } end end end diff --git a/spec/classes/sudo_spec.rb b/spec/classes/sudo_spec.rb index 25e3d44..462c737 100644 --- a/spec/classes/sudo_spec.rb +++ b/spec/classes/sudo_spec.rb @@ -1,227 +1,241 @@ require 'spec_helper' describe 'sudo' do let :default_params do { :enable => true, :package_ensure => 'present', :purge => true, :config_file_replace => true } end [{}, { :package_ensure => 'present', :purge => false, :config_file_replace => false }, { :package_ensure => 'latest', :purge => true, :config_file_replace => false }].each do |param_set| describe "when #{param_set == {} ? 'using default' : 'specifying'} class parameters" do let :param_hash do default_params.merge(param_set) end let :params do param_set end - %w(Debian Redhat).each do |osfamily| + %w[Debian Redhat].each do |osfamily| let :facts do { :operatingsystem => osfamily, :operatingsystemrelease => '7.0', :operatingsystemmajrelease => '7', :osfamily => osfamily, :puppetversion => '3.7.0' } end describe "on supported osfamily: #{osfamily}" do it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'root', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do - is_expected.to contain_file('/etc/sudoers.d/').with( + is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'root', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => param_hash[:package_ensure] ) end end end describe 'on RedHat 5.4' do let :facts do { :osfamily => 'RedHat', :operatingsystemrelease => '5.4', :operatingsystemmajrelease => '5', :puppetversion => '3.7.0' } end it do if params == {} is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => 'latest' ) else is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => param_hash[:package_ensure] ) end end end describe 'on supported osfamily: AIX' do let :facts do { :osfamily => 'AIX', :puppetversion => '3.7.0' } end it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'system', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do - is_expected.to contain_file('/etc/sudoers.d/').with( + is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'system', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => param_hash[:package_ensure], 'package_source' => 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm' ) end end describe 'on supported osfamily: Solaris 10' do let :facts do { :operatingsystem => 'Solaris', :osfamily => 'Solaris', :kernelrelease => '5.10', :puppetversion => '3.7.0', :hardwareisa => 'i386' } end it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'root', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do - is_expected.to contain_file('/etc/sudoers.d/').with( + is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'root', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'TCMsudo', 'package_ensure' => param_hash[:package_ensure], 'package_source' => 'http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-i386.pkg.gz', 'package_admin_file' => '/var/sadm/install/admin/puppet' ) end + + context 'when package is set' do + let :params do + { + :package => 'mysudo' + } + end + + it do + is_expected.to contain_class('sudo::package').with( + 'package' => 'mysudo' + ) + end + end end describe 'on supported osfamily: Solaris 11' do let :facts do { :operatingsystem => 'Solaris', :osfamily => 'Solaris', :kernelrelease => '5.11', :puppetversion => '3.7.0' } end it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'root', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do - is_expected.to contain_file('/etc/sudoers.d/').with( + is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'root', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'pkg://solaris/security/sudo', 'package_ensure' => param_hash[:package_ensure] ) end end end end end diff --git a/spec/defines/sudo_spec.rb b/spec/defines/sudo_spec.rb index e52313b..ca7aa8c 100644 --- a/spec/defines/sudo_spec.rb +++ b/spec/defines/sudo_spec.rb @@ -1,168 +1,207 @@ require 'spec_helper' describe 'sudo::conf', :type => :define do let(:title) { 'admins' } let(:filename) { '10_admins' } let(:file_path) { '/etc/sudoers.d/10_admins' } let :facts do { - :lsbdistcodename => 'wheezy', - :operatingsystemmajrelease => '7', - :operatingsystem => 'Debian', - :osfamily => 'Debian', - :puppetversion => '3.7.0' + lsbdistcodename: 'wheezy', + operatingsystemmajrelease: '7', + operatingsystem: 'Debian', + osfamily: 'Debian', + puppetversion: '3.7.0' } end let :params do { - :priority => 10, - :content => '%admins ALL=(ALL) NOPASSWD: ALL', - :sudo_config_dir => '/etc/sudoers.d/' + priority: 10, + content: '%admins ALL=(ALL) NOPASSWD: ALL', + sudo_config_dir: '/etc/sudoers.d' } end describe 'when creating a sudo entry' do it do - is_expected.to contain_sudo__conf('admins').with(:priority => params[:priority], - :content => params[:content]) + is_expected.to contain_sudo__conf('admins').with( + priority: params[:priority], + content: params[:content] + ) end it do - is_expected.to contain_file(filename).with('ensure' => 'present', - 'content' => "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", - 'owner' => 'root', - 'group' => 'root', - 'path' => file_path, - 'mode' => '0440') + is_expected.to contain_file(filename).with( + ensure: 'present', + content: "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", + owner: 'root', + group: 'root', + path: file_path, + mode: '0440' + ) end it do - is_expected.to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}#{params[:priority]}_#{title}").with('command' => "visudo -c -f '#{params[:sudo_config_dir]}#{params[:priority]}_#{title}' || ( rm -f '#{params[:sudo_config_dir]}#{params[:priority]}_#{title}' && exit 1)", - 'refreshonly' => 'true') + is_expected.to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}/#{params[:priority]}_#{title}").with( + command: "visudo -c || ( rm -f '#{params[:sudo_config_dir]}/#{params[:priority]}_#{title}' && exit 1)", + refreshonly: 'true' + ) end - it { is_expected.to contain_file(filename).that_notifies("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}#{params[:priority]}_#{title}]") } - - it { is_expected.not_to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}#{params[:priority]}_#{title}").that_requires("File[#{filename}]") } - it { is_expected.not_to contain_file(filename).that_requires("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}#{params[:priority]}_#{title}]") } + it { is_expected.to contain_file(filename).that_notifies("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/#{params[:priority]}_#{title}]") } + it { is_expected.not_to contain_file(filename).that_requires("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/#{params[:priority]}_#{title}]") } end describe 'when creating a sudo entry with single number priority' do let(:filename) { '05_admins' } let(:file_path) { '/etc/sudoers.d/05_admins' } let :params do { - :priority => 5, - :content => '%admins ALL=(ALL) NOPASSWD: ALL', - :sudo_config_dir => '/etc/sudoers.d/' + priority: 5, + content: '%admins ALL=(ALL) NOPASSWD: ALL', + sudo_config_dir: '/etc/sudoers.d' } end it do - is_expected.to contain_sudo__conf('admins').with(:priority => params[:priority], - :content => params[:content]) + is_expected.to contain_sudo__conf('admins').with( + priority: params[:priority], + content: params[:content] + ) end it do - is_expected.to contain_file(filename).with('ensure' => 'present', - 'content' => "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", - 'owner' => 'root', - 'group' => 'root', - 'path' => file_path, - 'mode' => '0440') + is_expected.to contain_file(filename).with( + ensure: 'present', + content: "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", + owner: 'root', + group: 'root', + path: file_path, + mode: '0440' + ) end it do - is_expected.to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}0#{params[:priority]}_#{title}").with('command' => "visudo -c -f '#{params[:sudo_config_dir]}0#{params[:priority]}_#{title}' || ( rm -f '#{params[:sudo_config_dir]}0#{params[:priority]}_#{title}' && exit 1)", - 'refreshonly' => 'true') + is_expected.to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}").with( + command: "visudo -c || ( rm -f '#{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}' && exit 1)", + refreshonly: 'true' + ) end - it { is_expected.to contain_file(filename).that_notifies("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}0#{params[:priority]}_#{title}]") } - - it { is_expected.not_to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}0#{params[:priority]}_#{title}").that_requires("File[#{filename}]") } - it { is_expected.not_to contain_file(filename).that_requires("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}0#{params[:priority]}_#{title}]") } + it { is_expected.to contain_file(filename).that_notifies("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}]") } + it { is_expected.not_to contain_file(filename).that_requires("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}]") } end describe 'when creating a sudo entry with whitespace in name' do let(:title) { 'admins hq' } let(:filename) { '05_admins hq' } let(:file_path) { '/etc/sudoers.d/05_admins_hq' } let :params do { - :priority => 5, - :content => '%admins_hq ALL=(ALL) NOPASSWD: ALL', - :sudo_config_dir => '/etc/sudoers.d/' + priority: 5, + content: '%admins_hq ALL=(ALL) NOPASSWD: ALL', + sudo_config_dir: '/etc/sudoers.d' } end it do is_expected.to contain_sudo__conf('admins hq').with(:priority => params[:priority], :content => params[:content]) end it do - is_expected.to contain_file(filename).with('ensure' => 'present', - 'content' => "# This file is managed by Puppet; changes may be overwritten\n%admins_hq ALL=(ALL) NOPASSWD: ALL\n", - 'owner' => 'root', - 'group' => 'root', - 'path' => file_path, - 'mode' => '0440') + is_expected.to contain_file(filename).with( + ensure: 'present', + content: "# This file is managed by Puppet; changes may be overwritten\n%admins_hq ALL=(ALL) NOPASSWD: ALL\n", + owner: 'root', + group: 'root', + path: file_path, + mode: '0440' + ) end it do - is_expected.to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}0#{params[:priority]}_#{title}").with('command' => "visudo -c -f '#{file_path}' || ( rm -f '#{file_path}' && exit 1)", - 'refreshonly' => 'true') + is_expected.to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}").with( + command: "visudo -c || ( rm -f '#{file_path}' && exit 1)", + refreshonly: 'true' + ) end - it { is_expected.to contain_file(filename).that_notifies("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}0#{params[:priority]}_#{title}]") } - - it { is_expected.not_to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}0#{params[:priority]}_#{title}").that_requires("File[#{filename}]") } - it { is_expected.not_to contain_file(filename).that_requires("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}0#{params[:priority]}_#{title}]") } + it { is_expected.to contain_file(filename).that_notifies("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}]") } + it { is_expected.not_to contain_file(filename).that_requires("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}]") } end describe 'when removing an sudo entry' do let :params do { - :ensure => 'absent', - :priority => 10, - :content => '%admins ALL=(ALL) NOPASSWD: ALL', - :sudo_config_dir => '/etc/sudoers.d/' + ensure: 'absent', + priority: 10, + content: '%admins ALL=(ALL) NOPASSWD: ALL', + sudo_config_dir: '/etc/sudoers.d' } end it do - is_expected.to contain_file(filename).with('ensure' => 'absent', - 'content' => "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", - 'owner' => 'root', - 'group' => 'root', - 'path' => file_path, - 'mode' => '0440') + is_expected.to contain_file(filename).with( + ensure: 'absent', + content: "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", + owner: 'root', + group: 'root', + path: file_path, + mode: '0440' + ) end end describe 'when removing an sudo entry with single number priority' do let :params do { - :ensure => 'absent', - :priority => 5, - :content => '%admins ALL=(ALL) NOPASSWD: ALL', - :sudo_config_dir => '/etc/sudoers.d/' + ensure: 'absent', + priority: 5, + content: '%admins ALL=(ALL) NOPASSWD: ALL', + sudo_config_dir: '/etc/sudoers.d' } end let(:filename) { '05_admins' } let(:file_path) { '/etc/sudoers.d/05_admins' } it do - is_expected.to contain_file(filename).with('ensure' => 'absent', - 'content' => "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", - 'owner' => 'root', - 'group' => 'root', - 'path' => file_path, - 'mode' => '0440') + is_expected.to contain_file(filename).with( + ensure: 'absent', + content: "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", + owner: 'root', + group: 'root', + path: file_path, + mode: '0440' + ) + end + end + + describe 'when adding a sudo entry with array content' do + let :params do + { + content: [ + '%admins ALL=(ALL) NOPASSWD: ALL', + '%wheel ALL=(ALL) NOPASSWD: ALL' + ] + } + end + + let(:filename) { '10_admins' } + let(:file_path) { '/etc/sudoers.d/10_admins' } + + it do + is_expected.to contain_file(filename).with( + ensure: 'present', + content: "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n%wheel ALL=(ALL) NOPASSWD: ALL\n", + owner: 'root', + group: 'root', + path: file_path, + mode: '0440' + ) end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 3744e12..0b9b0e4 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,24 +1,24 @@ require 'puppetlabs_spec_helper/module_spec_helper' RSpec.configure do |c| c.include PuppetlabsSpec::Files - c.before :each do + c.before do # Ensure that we don't accidentally cache facts and environment # between test cases. Facter.clear Facter.clear_messages # Store any environment variables away to be restored later @old_env = {} ENV.each_key { |k| @old_env[k] = ENV[k] } if Gem::Version.new(`puppet --version`) >= Gem::Version.new('3.5') Puppet.settings[:strict_variables] = true end end - c.after :each do + c.after do PuppetlabsSpec::Files.cleanup end end diff --git a/files/sudoers.aix b/templates/sudoers.aix.erb similarity index 94% rename from files/sudoers.aix rename to templates/sudoers.aix.erb index c92a836..b356f56 100644 --- a/files/sudoers.aix +++ b/templates/sudoers.aix.erb @@ -1,92 +1,95 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.archlinux b/templates/sudoers.archlinux.erb similarity index 94% rename from files/sudoers.archlinux rename to templates/sudoers.archlinux.erb index b61353e..3e1aa8a 100644 --- a/files/sudoers.archlinux +++ b/templates/sudoers.archlinux.erb @@ -1,92 +1,95 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command #%wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.darwin b/templates/sudoers.darwin.erb similarity index 90% rename from files/sudoers.darwin rename to templates/sudoers.darwin.erb index 3d7c7c5..79109d6 100644 --- a/files/sudoers.darwin +++ b/templates/sudoers.darwin.erb @@ -1,48 +1,51 @@ # file managed by puppet (unless config_file_replace=false) # # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # Failure to use 'visudo' may result in syntax or file permission errors # that prevent sudo from running. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification Defaults env_reset Defaults env_keep += "BLOCKSIZE" Defaults env_keep += "COLORFGBG COLORTERM" Defaults env_keep += "__CF_USER_TEXT_ENCODING" Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" Defaults env_keep += "LINES COLUMNS" Defaults env_keep += "LSCOLORS" Defaults env_keep += "SSH_AUTH_SOCK" Defaults env_keep += "TZ" Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY" Defaults env_keep += "EDITOR VISUAL" Defaults env_keep += "HOME MAIL" # Runas alias specification # User privilege specification root ALL=(ALL) ALL %admin ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.debian b/templates/sudoers.debian.erb similarity index 66% rename from files/sudoers.debian rename to templates/sudoers.debian.erb index 9f84ee5..555b496 100644 --- a/files/sudoers.debian +++ b/templates/sudoers.debian.erb @@ -1,15 +1,18 @@ # file managed by puppet (unless config_file_replace=false) # Defaults env_reset Defaults mail_badpass -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin" # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/templates/sudoers.erb b/templates/sudoers.erb deleted file mode 100644 index 44df8e5..0000000 --- a/templates/sudoers.erb +++ /dev/null @@ -1,15 +0,0 @@ -# file managed by puppet -Defaults env_keep=SSH_AUTH_SOCK -Defaults !authenticate -Defaults env_reset -<% if has_variable?("sudo_mailto") -%> -Defaults mailto=<%= sudo_mailto %> -<% end -%> -Defaults always_set_home -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin" -root ALL=(ALL) ALL - -# This directive only works with version >= 1.7.2! -#includedir /etc/sudoers.d -## -# diff --git a/files/sudoers.freebsd b/templates/sudoers.freebsd.erb similarity index 94% rename from files/sudoers.freebsd rename to templates/sudoers.freebsd.erb index 437bd63..5b0b338 100644 --- a/files/sudoers.freebsd +++ b/templates/sudoers.freebsd.erb @@ -1,107 +1,110 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top # Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff ## ## Defaults specification ## ## Uncomment if needed to preserve environmental variables related to the ## FreeBSD pkg utility and fetch. # Defaults env_keep += "PKG_CACHEDIR PKG_DBDIR FTP_PASSIVE_MODE" ## ## Additionally uncomment if needed to preserve environmental variables ## related to portupgrade # Defaults env_keep += "PORTSDIR PORTS_INDEX PORTS_DBDIR PACKAGES PKGTOOLS_CONF" ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to use a hard-coded PATH instead of the user's to find commands -# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin" ## ## Uncomment to send mail if the user does not enter the correct password. # Defaults mail_badpass ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /usr/local/etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /usr/local/etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.gentoo b/templates/sudoers.gentoo.erb similarity index 94% rename from files/sudoers.gentoo rename to templates/sudoers.gentoo.erb index 065fcbf..c51237f 100644 --- a/files/sudoers.gentoo +++ b/templates/sudoers.gentoo.erb @@ -1,93 +1,96 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top # Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.olddebian b/templates/sudoers.olddebian.erb similarity index 94% rename from files/sudoers.olddebian rename to templates/sudoers.olddebian.erb index 8703ebe..f104502 100644 --- a/files/sudoers.olddebian +++ b/templates/sudoers.olddebian.erb @@ -1,92 +1,95 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.omnios b/templates/sudoers.omnios.erb similarity index 94% rename from files/sudoers.omnios rename to templates/sudoers.omnios.erb index c92a836..b356f56 100644 --- a/files/sudoers.omnios +++ b/templates/sudoers.omnios.erb @@ -1,92 +1,95 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.openbsd b/templates/sudoers.openbsd.erb similarity index 90% rename from files/sudoers.openbsd rename to templates/sudoers.openbsd.erb index 5d93797..f0419d8 100644 --- a/files/sudoers.openbsd +++ b/templates/sudoers.openbsd.erb @@ -1,54 +1,57 @@ # file managed by puppet (unless config_file_replace=false) # # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # Failure to use 'visudo' may result in syntax or file permission errors # that prevent sudo from running. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification Defaults env_keep +="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK" # Non-exhaustive list of variables needed to build release(8) and ports(7) Defaults:%wsrc env_keep +="DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF" Defaults:%wsrc env_keep +="MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR" Defaults:%wsrc env_keep +="PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY" Defaults:%wsrc env_keep +="SUBPACKAGE WRKOBJDIR SUDO_PORT_V1" # Uncomment to preserve the default proxy host variable #Defaults env_keep +="ftp_proxy http_proxy" # Uncomment to disable the lecture the first time you run sudo #Defaults !lecture # Uncomment to preserve the environment for users in group wheel #Defaults:%wheel !env_reset # Runas alias specification # User privilege specification root ALL=(ALL) SETENV: ALL # Uncomment to allow people in group wheel to run all commands # and set environment variables. # %wheel ALL=(ALL) SETENV: ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: SETENV: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now -# pull in configurations in /etc/sudoers.d +# Read drop-in files # the # does not mark the line as a comment -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.rhel5 b/templates/sudoers.rhel5.erb similarity index 95% rename from files/sudoers.rhel5 rename to templates/sudoers.rhel5.erb index ebd8b3a..2d4209e 100644 --- a/files/sudoers.rhel5 +++ b/templates/sudoers.rhel5.erb @@ -1,95 +1,98 @@ # file managed by puppet (unless config_file_replace=false) # ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhap using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking #Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software #Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services #Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database #Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage #Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions #Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes #Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers #Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY" ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.rhel6 b/templates/sudoers.rhel6.erb similarity index 95% rename from files/sudoers.rhel6 rename to templates/sudoers.rhel6.erb index f6e59db..b344f81 100644 --- a/files/sudoers.rhel6 +++ b/templates/sudoers.rhel6.erb @@ -1,110 +1,113 @@ # file managed by puppet (unless config_file_replace=false) # ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" Defaults secure_path = /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d +## Read drop-in files +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.rhel7 b/templates/sudoers.rhel7.erb similarity index 89% rename from files/sudoers.rhel7 rename to templates/sudoers.rhel7.erb index a36afe3..8a90d6f 100644 --- a/files/sudoers.rhel7 +++ b/templates/sudoers.rhel7.erb @@ -1,113 +1,116 @@ # file managed by puppet (unless config_file_replace=false) # ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +Defaults secure_path = /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands -# %wheel ALL=(ALL) ALL +%wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.smartos b/templates/sudoers.smartos.erb similarity index 94% rename from files/sudoers.smartos rename to templates/sudoers.smartos.erb index ad1d86d..02aaccb 100644 --- a/files/sudoers.smartos +++ b/templates/sudoers.smartos.erb @@ -1,84 +1,87 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /opt/local/etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /opt/local/etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.solaris b/templates/sudoers.solaris.erb similarity index 94% rename from files/sudoers.solaris rename to templates/sudoers.solaris.erb index b17f487..cf30558 100644 --- a/files/sudoers.solaris +++ b/templates/sudoers.solaris.erb @@ -1,92 +1,95 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## #root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /opt/sfw/etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.suse b/templates/sudoers.suse.erb similarity index 92% rename from files/sudoers.suse rename to templates/sudoers.suse.erb index f932e68..661b36b 100644 --- a/files/sudoers.suse +++ b/templates/sudoers.suse.erb @@ -1,85 +1,88 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## Prevent environment variables from influencing programs in an ## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) Defaults always_set_home ## Path that will be used for every command run from sudo -Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin" +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin" Defaults env_reset ## Change env_reset to !env_reset in previous line to keep all environment variables ## Following list will no longer be necessary after this change Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" ## Comment out the preceding line and uncomment the following one if you need ## to use special input methods. This may allow users to compromise the root ## account if they are allowed to run commands without authentication. #Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## Do not insult users when they enter an incorrect password. Defaults !insults ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## In the default (unconfigured) configuration, sudo asks for the root password. ## This allows use of an ordinary user account for administration of a freshly ## installed system. When configuring sudo, delete the two ## following lines: #Defaults targetpw # ask for the password of the target user i.e. root #ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.ubuntu b/templates/sudoers.ubuntu.erb similarity index 79% rename from files/sudoers.ubuntu rename to templates/sudoers.ubuntu.erb index be370da..e271845 100644 --- a/files/sudoers.ubuntu +++ b/templates/sudoers.ubuntu.erb @@ -1,31 +1,34 @@ # file managed by puppet (unless config_file_replace=false) # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%>