diff --git a/.bundle/config b/.bundle/config deleted file mode 100644 index d58b21d..0000000 --- a/.bundle/config +++ /dev/null @@ -1,4 +0,0 @@ ---- -BUNDLE_WITHOUT: system_tests:development -BUNDLE_PATH: vendor/bundle -BUNDLE_DISABLE_SHARED_GEMS: true diff --git a/.gitignore b/.gitignore index 79a5f79..5caea85 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,13 @@ -pkg/ -*.swp -spec/fixtures/ -.vagrant/ -vendor/ -Gemfile.lock +.*.sw? +/pkg +/spec/fixtures/manifests +/spec/fixtures/modules +/.rspec_system +/.vagrant +/.bundle +/vendor +/Gemfile.lock +/junit +/log +.yardoc +coverage diff --git a/manifests/conf.pp b/manifests/conf.pp index e22cf0e..89adde6 100644 --- a/manifests/conf.pp +++ b/manifests/conf.pp @@ -1,123 +1,123 @@ # Define: sudo::conf # # This module manages sudo configurations # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*priority*] # Prefix file name with $priority # Default: 10 # # [*content*] # Content of configuration snippet. # Default: undef # # [*source*] # Source of configuration snippet. # Default: undef # # [*sudo_config_dir*] # Where to place configuration snippets. # Only set this, if your platform is not supported or # you know, what you're doing. # Default: auto-set, platform specific # # Actions: # Installs sudo configuration snippets # # Requires: # Class sudo # # Sample Usage: # sudo::conf { 'admins': # source => 'puppet:///files/etc/sudoers.d/admins', # } # # [Remember: No empty lines between comments and class definition] define sudo::conf( $ensure = present, $priority = 10, $content = undef, $source = undef, $template = undef, $sudo_config_dir = undef, $sudo_file_name = undef ) { include ::sudo # Hack to allow the user to set the config_dir from the # sudo::config parameter, but default to $sudo::params::config_dir # if it is not provided. $sudo::params isn't included before # the parameters are loaded in. $sudo_config_dir_real = $sudo_config_dir ? { undef => $sudo::config_dir, $sudo_config_dir => $sudo_config_dir } # sudo skip file name that contain a "." $dname = regsubst($name, '\.', '-', 'G') if size("x${priority}") == 2 { $priority_real = "0${priority}" } else { $priority_real = $priority } # build current file name with path if $sudo_file_name != undef { - $cur_file = "${sudo_config_dir_real}${sudo_file_name}" + $cur_file = "${sudo_config_dir_real}/${sudo_file_name}" } else { - $cur_file = "${sudo_config_dir_real}${priority_real}_${dname}" + $cur_file = "${sudo_config_dir_real}/${priority_real}_${dname}" } # replace whitespace in file name $cur_file_real = regsubst($cur_file, '\s+', '_', 'G') Class['sudo'] -> Sudo::Conf[$name] if $::osfamily == 'RedHat' { if (versioncmp($::sudoversion, '1.7.2p1') < 0) { warning("Found sudo with version ${::sudoversion}, but at least version 1.7.2p1 is required!") } } if $content != undef { if is_array($content) { $lines = join($content, "\n") $content_real = "${lines}\n" } else { $content_real = "# This file is managed by Puppet; changes may be overwritten\n${content}\n" } } elsif $template != undef { $content_real = template($template) } else { $content_real = undef } if $ensure == 'present' { $notify_real = Exec["sudo-syntax-check for file ${cur_file}"] } else { $notify_real = undef } file { "${priority_real}_${dname}": ensure => $ensure, path => $cur_file_real, owner => 'root', group => $sudo::params::config_file_group, mode => '0440', source => $source, content => $content_real, notify => $notify_real, } exec {"sudo-syntax-check for file ${cur_file}": command => "visudo -c -f '${cur_file_real}' || ( rm -f '${cur_file_real}' && exit 1)", refreshonly => true, path => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'], } } diff --git a/manifests/init.pp b/manifests/init.pp index 3a83be8..d96a3d7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,189 +1,176 @@ # Class: sudo # # This module manages sudo # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*package*] # Name of the package. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*package_ensure*] # Allows you to ensure a particular version of a package # Default: present / lastest for RHEL < 5.5 # # [*package_source*] # Where to find the package. Only set this on AIX (required) and # Solaris (required) or if your platform is not supported or you # know, what you're doing. # # The default for aix is the perzl sudo package. For solaris 10 we # use the official www.sudo.ws binary package. # # Default: AIX: perzl.org # Solaris: www.sudo.ws # # [*package_admin_file*] # Where to find a Solaris 10 package admin file for # an unattended installation. We do not supply a default file, so # this has to be staged separately # # Only set this on Solaris 10 (required) # Default: /var/sadm/install/admin/puppet # # [*purge*] # Whether or not to purge sudoers.d directory # Default: true # # [*purge_ignore*] # Files to exclude from purging in sudoers.d directory # Default: undef # # [*config_file*] # Main configuration file. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # -# [*config_file_replace*] -# Replace configuration file with that one delivered with this module -# Default: true -# -# [*includedirsudoers*] -# Add #includedir /etc/sudoers.d to the end of sudoers, if not config_file_replace -# Default: true if RedHat 5.x -# # [*config_dir*] -# Main configuration directory -# Only set this, if your platform is not supported or you know, -# what you're doing. +# Main directory containing sudo snippets, imported via +# includedir stanza in sudoers file # Default: auto-set, platform specific # -# [*source*] -# Alternate source file location +# [*extra_include_dirs*] +# Array of additional directories containing sudo snippets +# Default: undef +# +# [*content*] +# Alternate content file location # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*ldap_enable*] # Enable ldap support on the package # Default: false # # Actions: # Installs sudo package and checks the state of sudoers file and # sudoers.d directory. # # Requires: # Nothing # # Sample Usage: # class { 'sudo': } # # [Remember: No empty lines between comments and class definition] class sudo( $enable = true, $package_default = $sudo::params::package, $package_ldap = $sudo::params::package_ldap, $package_ensure = $sudo::params::package_ensure, $package_source = $sudo::params::package_source, $package_admin_file = $sudo::params::package_admin_file, $purge = true, $purge_ignore = undef, $config_file = $sudo::params::config_file, $config_file_replace = true, - $includedirsudoers = $sudo::params::includedirsudoers, $config_dir = $sudo::params::config_dir, - $source = $sudo::params::source, + $extra_include_dirs = undef, + $content = $sudo::params::content, $ldap_enable = false, ) inherits sudo::params { validate_bool($enable) case $enable { true: { $dir_ensure = 'directory' $file_ensure = 'present' } false: { $dir_ensure = 'absent' $file_ensure = 'absent' } default: { fail('no $enable is set') } } validate_bool($ldap_enable) case $ldap_enable { true: { if $package_ldap == undef { fail('on your os ldap support for sudo is not yet supported') } $package = $package_ldap } false: { $package = $package_default } default: { fail('no $ldap_enable is set') } } class { '::sudo::package': package => $package, package_ensure => $package_ensure, package_source => $package_source, package_admin_file => $package_admin_file, ldap_enable => $ldap_enable, } file { $config_file: ensure => $file_ensure, owner => 'root', group => $sudo::params::config_file_group, mode => '0440', replace => $config_file_replace, - source => $source, + content => template($content), require => Class['sudo::package'], } file { $config_dir: ensure => $dir_ensure, owner => 'root', group => $sudo::params::config_file_group, mode => '0550', recurse => $purge, purge => $purge, ignore => $purge_ignore, require => Class['sudo::package'], } - if $config_file_replace == false and $includedirsudoers { - augeas { 'includedirsudoers': - changes => ['set /files/etc/sudoers/#includedir /etc/sudoers.d'], - incl => $config_file, - lens => 'Sudoers.lns', - } - } - # Load the Hiera based sudoer configuration (if enabled and present) # # NOTE: We must use 'include' here to avoid circular dependencies with # sudo::conf # # NOTE: There is no way to detect the existence of hiera. This automatic # functionality is therefore made exclusive to Puppet 3+ (hiera is embedded) # in order to preserve backwards compatibility. # # http://projects.puppetlabs.com/issues/12345 # if (versioncmp($::puppetversion, '3') != -1) { include '::sudo::configs' } - anchor { 'sudo::begin': } -> - Class['sudo::package'] -> - anchor { 'sudo::end': } + anchor { 'sudo::begin': } + -> Class['sudo::package'] + -> anchor { 'sudo::end': } } diff --git a/manifests/params.pp b/manifests/params.pp index 709f98c..3404389 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,225 +1,210 @@ #class sudo::params #Set the paramters for the sudo module class sudo::params { - $source_base = "puppet:///modules/${module_name}/" + $content_base = "${module_name}/" case $::osfamily { 'Debian': { case $::operatingsystem { 'Ubuntu': { - $source = "${source_base}sudoers.ubuntu" + $content = "${content_base}sudoers.ubuntu.erb" } default: { if (versioncmp($::operatingsystemmajrelease, '7') >= 0) or ($::operatingsystemmajrelease =~ /\/sid/) or ($::operatingsystemmajrelease =~ /Kali/) { - $source = "${source_base}sudoers.debian" + $content = "${content_base}sudoers.debian.erb" } else { - $source = "${source_base}sudoers.olddebian" + $content = "${content_base}sudoers.olddebian.erb" } } } $package = 'sudo' $package_ldap = 'sudo-ldap' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' + $config_dir = '/etc/sudoers.d' $config_file_group = 'root' } 'RedHat': { $package = 'sudo' # in redhat sudo package is already compiled for ldap support $package_ldap = $package # rhel 5.0 to 5.4 use sudo 1.6.9 which does not support # includedir, so we have to make sure sudo 1.7 (comes with rhel # 5.5) is installed. $package_ensure = $::operatingsystemrelease ? { /^5.[01234]/ => 'latest', default => 'present', } $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = $::operatingsystemmajrelease ? { - '5' => true, - default => false, - } - $config_dir = '/etc/sudoers.d/' - $source = $::operatingsystemrelease ? { - /^5/ => "${source_base}sudoers.rhel5", - /^6/ => "${source_base}sudoers.rhel6", - /^7/ => "${source_base}sudoers.rhel7", - default => "${source_base}sudoers.rhel6", + $config_dir = '/etc/sudoers.d' + $content = $::operatingsystemrelease ? { + /^5/ => "${content_base}sudoers.rhel5.erb", + /^6/ => "${content_base}sudoers.rhel6.erb", + /^7/ => "${content_base}sudoers.rhel7.erb", + default => "${content_base}sudoers.rhel6.erb", } $config_file_group = 'root' } 'Suse': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.suse" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.suse.erb" $config_file_group = 'root' } 'Solaris': { case $::operatingsystem { 'OmniOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.omnios" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.omnios.erb" $config_file_group = 'root' } 'SmartOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/opt/local/etc/sudoers' - $config_dir = '/opt/local/etc/sudoers.d/' - $source = "${source_base}sudoers.smartos" + $config_dir = '/opt/local/etc/sudoers.d' + $content = "${content_base}sudoers.smartos.erb" $config_file_group = 'root' } default: { case $::kernelrelease { '5.11': { $package = 'pkg://solaris/security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.solaris" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.solaris.erb" $config_file_group = 'root' } '5.10': { $package = 'TCMsudo' $package_ldap = undef $package_ensure = 'present' $package_source = "http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-${::hardwareisa}.pkg.gz" $package_admin_file = '/var/sadm/install/admin/puppet' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.solaris" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.solaris.erb" $config_file_group = 'root' } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}/${::kernelrelease}") } } } } } 'FreeBSD': { $package = 'security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/usr/local/etc/sudoers' - $includedirsudoers = false - $config_dir = '/usr/local/etc/sudoers.d/' - $source = "${source_base}sudoers.freebsd" + $config_dir = '/usr/local/etc/sudoers.d' + $content = "${content_base}sudoers.freebsd.erb" $config_file_group = 'wheel' } 'OpenBSD': { if (versioncmp($::kernelversion, '5.8') < 0) { $package = undef } else { $package = 'sudo' } $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.openbsd" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.openbsd.erb" $config_file_group = 'wheel' } 'AIX': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm' $package_admin_file = '' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.aix" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.aix.erb" $config_file_group = 'system' } 'Darwin': { $package = undef $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.darwin" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.darwin.erb" $config_file_group = 'wheel' } default: { case $::operatingsystem { 'Gentoo': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.gentoo" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.gentoo.erb" $config_file_group = 'root' } 'Archlinux': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = "${source_base}sudoers.archlinux" + $config_dir = '/etc/sudoers.d' + $content = "${content_base}sudoers.archlinux.erb" $config_file_group = 'root' } 'Amazon': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' - $includedirsudoers = false - $config_dir = '/etc/sudoers.d/' - $source = $::operatingsystemrelease ? { - /^5/ => "${source_base}sudoers.rhel5", - /^6/ => "${source_base}sudoers.rhel6", - default => "${source_base}sudoers.rhel6", + $config_dir = '/etc/sudoers.d' + $content = $::operatingsystemrelease ? { + /^5/ => "${content_base}sudoers.rhel5.erb", + /^6/ => "${content_base}sudoers.rhel6.erb", + default => "${content_base}sudoers.rhel6.erb", } $config_file_group = 'root' } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") } } $package_source = '' $package_admin_file = '' } } } diff --git a/files/sudoers.omnios b/templates/sudoers.aix.erb similarity index 94% rename from files/sudoers.omnios rename to templates/sudoers.aix.erb index c92a836..b356f56 100644 --- a/files/sudoers.omnios +++ b/templates/sudoers.aix.erb @@ -1,92 +1,95 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.archlinux b/templates/sudoers.archlinux.erb similarity index 94% rename from files/sudoers.archlinux rename to templates/sudoers.archlinux.erb index b61353e..3e1aa8a 100644 --- a/files/sudoers.archlinux +++ b/templates/sudoers.archlinux.erb @@ -1,92 +1,95 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command #%wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.darwin b/templates/sudoers.darwin.erb similarity index 90% rename from files/sudoers.darwin rename to templates/sudoers.darwin.erb index 3d7c7c5..79109d6 100644 --- a/files/sudoers.darwin +++ b/templates/sudoers.darwin.erb @@ -1,48 +1,51 @@ # file managed by puppet (unless config_file_replace=false) # # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # Failure to use 'visudo' may result in syntax or file permission errors # that prevent sudo from running. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification Defaults env_reset Defaults env_keep += "BLOCKSIZE" Defaults env_keep += "COLORFGBG COLORTERM" Defaults env_keep += "__CF_USER_TEXT_ENCODING" Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" Defaults env_keep += "LINES COLUMNS" Defaults env_keep += "LSCOLORS" Defaults env_keep += "SSH_AUTH_SOCK" Defaults env_keep += "TZ" Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY" Defaults env_keep += "EDITOR VISUAL" Defaults env_keep += "HOME MAIL" # Runas alias specification # User privilege specification root ALL=(ALL) ALL %admin ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.debian b/templates/sudoers.debian.erb similarity index 72% rename from files/sudoers.debian rename to templates/sudoers.debian.erb index 9f84ee5..8d0f9b0 100644 --- a/files/sudoers.debian +++ b/templates/sudoers.debian.erb @@ -1,15 +1,18 @@ # file managed by puppet (unless config_file_replace=false) # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/templates/sudoers.erb b/templates/sudoers.erb deleted file mode 100644 index 44df8e5..0000000 --- a/templates/sudoers.erb +++ /dev/null @@ -1,15 +0,0 @@ -# file managed by puppet -Defaults env_keep=SSH_AUTH_SOCK -Defaults !authenticate -Defaults env_reset -<% if has_variable?("sudo_mailto") -%> -Defaults mailto=<%= sudo_mailto %> -<% end -%> -Defaults always_set_home -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin" -root ALL=(ALL) ALL - -# This directive only works with version >= 1.7.2! -#includedir /etc/sudoers.d -## -# diff --git a/files/sudoers.freebsd b/templates/sudoers.freebsd.erb similarity index 95% rename from files/sudoers.freebsd rename to templates/sudoers.freebsd.erb index 437bd63..d2fffcf 100644 --- a/files/sudoers.freebsd +++ b/templates/sudoers.freebsd.erb @@ -1,107 +1,110 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top # Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff ## ## Defaults specification ## ## Uncomment if needed to preserve environmental variables related to the ## FreeBSD pkg utility and fetch. # Defaults env_keep += "PKG_CACHEDIR PKG_DBDIR FTP_PASSIVE_MODE" ## ## Additionally uncomment if needed to preserve environmental variables ## related to portupgrade # Defaults env_keep += "PORTSDIR PORTS_INDEX PORTS_DBDIR PACKAGES PKGTOOLS_CONF" ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to use a hard-coded PATH instead of the user's to find commands # Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ## ## Uncomment to send mail if the user does not enter the correct password. # Defaults mail_badpass ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /usr/local/etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /usr/local/etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.gentoo b/templates/sudoers.gentoo.erb similarity index 94% rename from files/sudoers.gentoo rename to templates/sudoers.gentoo.erb index 065fcbf..c51237f 100644 --- a/files/sudoers.gentoo +++ b/templates/sudoers.gentoo.erb @@ -1,93 +1,96 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top # Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.olddebian b/templates/sudoers.olddebian.erb similarity index 94% rename from files/sudoers.olddebian rename to templates/sudoers.olddebian.erb index 8703ebe..f104502 100644 --- a/files/sudoers.olddebian +++ b/templates/sudoers.olddebian.erb @@ -1,92 +1,95 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.aix b/templates/sudoers.omnios.erb similarity index 94% rename from files/sudoers.aix rename to templates/sudoers.omnios.erb index c92a836..b356f56 100644 --- a/files/sudoers.aix +++ b/templates/sudoers.omnios.erb @@ -1,92 +1,95 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.openbsd b/templates/sudoers.openbsd.erb similarity index 90% rename from files/sudoers.openbsd rename to templates/sudoers.openbsd.erb index 5d93797..f0419d8 100644 --- a/files/sudoers.openbsd +++ b/templates/sudoers.openbsd.erb @@ -1,54 +1,57 @@ # file managed by puppet (unless config_file_replace=false) # # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # Failure to use 'visudo' may result in syntax or file permission errors # that prevent sudo from running. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification Defaults env_keep +="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK" # Non-exhaustive list of variables needed to build release(8) and ports(7) Defaults:%wsrc env_keep +="DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF" Defaults:%wsrc env_keep +="MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR" Defaults:%wsrc env_keep +="PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY" Defaults:%wsrc env_keep +="SUBPACKAGE WRKOBJDIR SUDO_PORT_V1" # Uncomment to preserve the default proxy host variable #Defaults env_keep +="ftp_proxy http_proxy" # Uncomment to disable the lecture the first time you run sudo #Defaults !lecture # Uncomment to preserve the environment for users in group wheel #Defaults:%wheel !env_reset # Runas alias specification # User privilege specification root ALL=(ALL) SETENV: ALL # Uncomment to allow people in group wheel to run all commands # and set environment variables. # %wheel ALL=(ALL) SETENV: ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: SETENV: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now -# pull in configurations in /etc/sudoers.d +# Read drop-in files # the # does not mark the line as a comment -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.rhel5 b/templates/sudoers.rhel5.erb similarity index 95% rename from files/sudoers.rhel5 rename to templates/sudoers.rhel5.erb index ebd8b3a..2d4209e 100644 --- a/files/sudoers.rhel5 +++ b/templates/sudoers.rhel5.erb @@ -1,95 +1,98 @@ # file managed by puppet (unless config_file_replace=false) # ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhap using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking #Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software #Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services #Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database #Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage #Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions #Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes #Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers #Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY" ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.rhel6 b/templates/sudoers.rhel6.erb similarity index 95% rename from files/sudoers.rhel6 rename to templates/sudoers.rhel6.erb index f6e59db..b344f81 100644 --- a/files/sudoers.rhel6 +++ b/templates/sudoers.rhel6.erb @@ -1,110 +1,113 @@ # file managed by puppet (unless config_file_replace=false) # ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" Defaults secure_path = /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d +## Read drop-in files +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.rhel7 b/templates/sudoers.rhel7.erb similarity index 95% rename from files/sudoers.rhel7 rename to templates/sudoers.rhel7.erb index a36afe3..82742ea 100644 --- a/files/sudoers.rhel7 +++ b/templates/sudoers.rhel7.erb @@ -1,113 +1,116 @@ # file managed by puppet (unless config_file_replace=false) # ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # Refuse to run if unable to disable echo on the tty. This setting should also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" Defaults secure_path = /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d +## Read drop-in files +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.smartos b/templates/sudoers.smartos.erb similarity index 94% rename from files/sudoers.smartos rename to templates/sudoers.smartos.erb index ad1d86d..02aaccb 100644 --- a/files/sudoers.smartos +++ b/templates/sudoers.smartos.erb @@ -1,84 +1,87 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /opt/local/etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /opt/local/etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.solaris b/templates/sudoers.solaris.erb similarity index 94% rename from files/sudoers.solaris rename to templates/sudoers.solaris.erb index b17f487..cf30558 100644 --- a/files/sudoers.solaris +++ b/templates/sudoers.solaris.erb @@ -1,92 +1,95 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## ## Runas alias specification ## ## ## User privilege specification ## #root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -## Read drop-in files from /opt/sfw/etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.suse b/templates/sudoers.suse.erb similarity index 94% rename from files/sudoers.suse rename to templates/sudoers.suse.erb index f932e68..ef1c108 100644 --- a/files/sudoers.suse +++ b/templates/sudoers.suse.erb @@ -1,85 +1,88 @@ # file managed by puppet (unless config_file_replace=false) # ## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top ## ## Defaults specification ## ## Prevent environment variables from influencing programs in an ## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) Defaults always_set_home ## Path that will be used for every command run from sudo Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin" Defaults env_reset ## Change env_reset to !env_reset in previous line to keep all environment variables ## Following list will no longer be necessary after this change Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" ## Comment out the preceding line and uncomment the following one if you need ## to use special input methods. This may allow users to compromise the root ## account if they are allowed to run commands without authentication. #Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## Do not insult users when they enter an incorrect password. Defaults !insults ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output ## In the default (unconfigured) configuration, sudo asks for the root password. ## This allows use of an ordinary user account for administration of a freshly ## installed system. When configuring sudo, delete the two ## following lines: #Defaults targetpw # ask for the password of the target user i.e. root #ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL -## Read drop-in files from /etc/sudoers.d +## Read drop-in files ## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/files/sudoers.ubuntu b/templates/sudoers.ubuntu.erb similarity index 84% rename from files/sudoers.ubuntu rename to templates/sudoers.ubuntu.erb index be370da..ed5f936 100644 --- a/files/sudoers.ubuntu +++ b/templates/sudoers.ubuntu.erb @@ -1,31 +1,34 @@ # file managed by puppet (unless config_file_replace=false) # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: -#includedir /etc/sudoers.d +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%>