diff --git a/files/sudoers.gentoo b/files/sudoers.gentoo new file mode 100644 index 0000000..69ed835 --- /dev/null +++ b/files/sudoers.gentoo @@ -0,0 +1,91 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +## (the '#' here does not indicate a comment) +#includedir /etc/sudoers.d diff --git a/files/sudoers.rhel6 b/files/sudoers.rhel6 index d4a9258..2c50e76 100644 --- a/files/sudoers.rhel6 +++ b/files/sudoers.rhel6 @@ -1,108 +1,108 @@ ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin +Defaults secure_path = /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d diff --git a/files/sudoers.rhel7 b/files/sudoers.rhel7 index 95ea6a5..4db1da5 100644 --- a/files/sudoers.rhel7 +++ b/files/sudoers.rhel7 @@ -1,111 +1,111 @@ ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin +Defaults secure_path = /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d diff --git a/files/sudoers.suse b/files/sudoers.suse index 420bea7..54459fb 100644 --- a/files/sudoers.suse +++ b/files/sudoers.suse @@ -1,81 +1,83 @@ ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## Prevent environment variables from influencing programs in an ## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) Defaults always_set_home +## Path that will be used for every command run from sudo +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin" Defaults env_reset ## Change env_reset to !env_reset in previous line to keep all environment variables ## Following list will no longer be necessary after this change Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" ## Comment out the preceding line and uncomment the following one if you need ## to use special input methods. This may allow users to compromise the root ## account if they are allowed to run commands without authentication. #Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## Do not insult users when they enter an incorrect password. Defaults !insults ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## In the default (unconfigured) configuration, sudo asks for the root password. ## This allows use of an ordinary user account for administration of a freshly ## installed system. When configuring sudo, delete the two ## following lines: #Defaults targetpw # ask for the password of the target user i.e. root #ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Read drop-in files from /etc/sudoers.d ## (the '#' here does not indicate a comment) #includedir /etc/sudoers.d diff --git a/manifests/init.pp b/manifests/init.pp index a836de6..e1fc9af 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,161 +1,162 @@ # Class: sudo # # This module manages sudo # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*package*] # Name of the package. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*package_ensure*] # Allows you to ensure a particular version of a package # Default: present / lastest for RHEL < 5.5 # # [*package_source*] # Where to find the package. Only set this on AIX (required) and # Solaris (required) or if your platform is not supported or you # know, what you're doing. # # The default for aix is the perzl sudo package. For solaris 10 we # use the official www.sudo.ws binary package. # # Default: AIX: perzl.org # Solaris: www.sudo.ws # # [*package_admin_file*] # Where to find a Solaris 10 package admin file for # an unattended installation. We do not supply a default file, so # this has to be staged separately # # Only set this on Solaris 10 (required) # Default: /var/sadm/install/admin/puppet # # [*purge*] # Whether or not to purge sudoers.d directory # Default: true # # [*purge_ignore*] # Files to exclude from purging in sudoers.d directory # Default: undef # # [*config_file*] # Main configuration file. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*config_file_replace*] # Replace configuration file with that one delivered with this module # Default: true # # [*config_dir*] # Main configuration directory # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*source*] # Alternate source file location # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # Actions: -# Installs sudo package and checks the state of sudoers file and sudoers.d directory. +# Installs sudo package and checks the state of sudoers file and +# sudoers.d directory. # # Requires: # Nothing # # Sample Usage: # class { 'sudo': } # # [Remember: No empty lines between comments and class definition] class sudo( $enable = true, $package = $sudo::params::package, $package_ensure = $sudo::params::package_ensure, $package_source = $sudo::params::package_source, $package_admin_file = $sudo::params::package_admin_file, $purge = true, $purge_ignore = undef, $config_file = $sudo::params::config_file, $config_file_replace = true, $config_dir = $sudo::params::config_dir, $source = $sudo::params::source ) inherits sudo::params { validate_bool($enable) case $enable { true: { $dir_ensure = 'directory' $file_ensure = 'present' } false: { $dir_ensure = 'absent' $file_ensure = 'absent' } default: { fail('no $enable is set') } } class { 'sudo::package': package => $package, package_ensure => $package_ensure, package_source => $package_source, package_admin_file => $package_admin_file, } file { $config_file: ensure => $file_ensure, owner => 'root', group => $sudo::params::config_file_group, mode => '0440', replace => $config_file_replace, source => $source, require => Package[$package], } file { $config_dir: ensure => $dir_ensure, owner => 'root', group => $sudo::params::config_file_group, mode => '0550', recurse => $purge, purge => $purge, ignore => $purge_ignore, require => Package[$package], } if $config_file_replace == false and $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '5' { augeas { 'includedirsudoers': changes => ['set /files/etc/sudoers/#includedir /etc/sudoers.d'], incl => $config_file, lens => 'FixedSudoers.lns', } } # Load the Hiera based sudoer configuration (if enabled and present) # # NOTE: We must use 'include' here to avoid circular dependencies with # sudo::conf # # NOTE: There is no way to detect the existence of hiera. This automatic # functionality is therefore made exclusive to Puppet 3+ (hiera is embedded) # in order to preserve backwards compatibility. # # http://projects.puppetlabs.com/issues/12345 # if (versioncmp($::puppetversion, '3') != -1) { include 'sudo::configs' } anchor { 'sudo::begin': } -> Class['sudo::package'] -> anchor { 'sudo::end': } } diff --git a/manifests/params.pp b/manifests/params.pp index e120990..ba0295f 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,169 +1,169 @@ #class sudo::params #Set the paramters for the sudo module class sudo::params { $source_base = "puppet:///modules/${module_name}/" case $::osfamily { debian: { case $::operatingsystem { 'Ubuntu': { $source = "${source_base}sudoers.ubuntu" } default: { if (0 + $::operatingsystemmajrelease >= 7) { $source = "${source_base}sudoers.debian" } else { $source = "${source_base}sudoers.olddebian" } } } $package = 'sudo' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $config_file_group = 'root' } redhat: { $package = 'sudo' # rhel 5.0 to 5.4 use sudo 1.6.9 which does not support # includedir, so we have to make sure sudo 1.7 (comes with rhel # 5.5) is installed. $package_ensure = $::operatingsystemrelease ? { /^5.[01234]/ => 'latest', default => 'present', } $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $source = $::operatingsystemrelease ? { /^5/ => "${source_base}sudoers.rhel5", /^6/ => "${source_base}sudoers.rhel6", /^7/ => "${source_base}sudoers.rhel7", default => "${source_base}sudoers.rhel6", } $config_file_group = 'root' } suse: { $package = 'sudo' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.suse" $config_file_group = 'root' } solaris: { case $::operatingsystem { 'OmniOS': { $package = 'sudo' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.omnios" $config_file_group = 'root' } default: { case $::kernelrelease { '5.11': { $package = 'pkg://solaris/security/sudo' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.solaris" $config_file_group = 'root' } '5.10': { $package = 'TCMsudo' $package_ensure = 'present' $package_source = "http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-${::hardwareisa}.pkg.gz" $package_admin_file = '/var/sadm/install/admin/puppet' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.solaris" $config_file_group = 'root' } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}/${::kernelrelease}") } } } } } freebsd: { $package = 'security/sudo' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/usr/local/etc/sudoers' $config_dir = '/usr/local/etc/sudoers.d/' $source = "${source_base}sudoers.freebsd" $config_file_group = 'wheel' } openbsd: { $package = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.openbsd" $config_file_group = 'wheel' } aix: { $package = 'sudo' $package_ensure = 'present' $package_source = 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.aix" $config_file_group = 'system' } default: { case $::operatingsystem { gentoo: { $package = 'sudo' $package_ensure = 'present' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.deb" + $source = "${source_base}sudoers.gentoo" $config_file_group = 'root' } archlinux: { $package = 'sudo' $package_ensure = 'present' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $source = "${source_base}sudoers.archlinux" $config_file_group = 'root' } amazon: { $package = 'sudo' $package_ensure = 'present' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d/' $source = $::operatingsystemrelease ? { /^5/ => "${source_base}sudoers.rhel5", /^6/ => "${source_base}sudoers.rhel6", default => "${source_base}sudoers.rhel6", } $config_file_group = 'root' } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") } } $package_source = '' $package_admin_file = '' } } }