Version information
This version is compatible with:
- Puppet Enterprise 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
- Puppet >= 5.5.0
- Gentoo, CentOS, RedHat, Debian, Archlinux, FreeBSD
Start using this module
Add this module to your Puppetfile:
mod 'chrekh-sudo', '0.1.3'
Learn more about managing modules with a PuppetfileDocumentation
sudo
Puppet module for configuring sudo. Not yet ready for production! there is still a important decision to make about default sudoers config.
Table of Contents
- Description
- Todo
- Usage - Configuration options and additional functionality
- Example - Hiera example of sudo configuration
Description
Installs and configures sudo.
This modules can configure most features described in sudoers(5), both in the master sudoers file, and in separate files located in a includedir (/etc/sudoers.d). My motivation for creating this module even when there is several modules for sudo available already, is to be able to to generate all possible sudoers(5) content, using structured data merged from possibly several hiera levels.
Note that there is no verification of the resulting sudoers files, so it's very possible to generate sudoers content that breaks sudo.
Todo
I have still not decided if it's a good idea to provide os-dependent default configuration for the primary sudoers file. I need to make a definitive decision before releasing 1.0
If you test this module, pleas tell me your opinion about this, either by mail to che@chrekh.se or using the issues url.
Usage
class { 'sudo': }
The main feature is located in a single hash provided to sudo as parameter conf. This is possible to specify either as class-parameter or hieradata.
The keys in $sudo::conf is what file to write configurations to, the special key '_sudoers' is used for the main sudo configuration file $sudo::sudoers (normally '/etc/sudoers'), other keys specifies files to create under $sudo::includedir (normally /etc/sudoers.d)
The value for $sudo::conf[file] can be one of:
- mode, File permission mode for the file, default $sudo::defaultmode
- defaults, Defaults specifications as described by sudoers(5)
- user_alias, A hash whith array of users.
- runas_alias, A hash with array of target users.
- host_alias, A hash with array of hosts.
- cmnd_alias, A hash with array of commands.
- user_specs, A array of hashes with user specs with
- users: Array of users
- runas: Hash of target user & group
- options: Array of options
- commands: Array of commands
Note about default value for sudo::conf[_sudoers]
My objective is to provide os-dependent value for the generated sudoers that is similar to the default sudoers on that os. This might cause difficulties to generate wanted content, so I might remove the os-dependent defaults in later releases. Let me know your opinion on this.
For example the default on os[family] RedHat is to have "Defaults always_set_home", if that is not desirable you can chose to negate it by adding !always_set_home
Hiera example
---
lookup_options:
sudo::conf:
merge:
strategy: deep
sudo::conf:
_sudoers:
defaults:
- Defaults:
- insults
- '!always_set_home'
This will result in /etc/sudoers on os[family] RedHat containing
## Managed by puppet class sudo
## Do not edit
# Override built-in defaults
Defaults !visiblepw, always_set_home
Defaults match_group_by_gid, always_query_group_plugin
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
Defaults insults, !always_set_home
# User specification
root ALL = (ALL:ALL) ALL
%wheel ALL = (ALL:ALL) ALL
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
... and /usr/local/etc/sudoers on os[family] FreeBSD with
## Managed by puppet class sudo
## Do not edit
# Override built-in defaults
Defaults insults, !alwayw_set_home
# User specification
root ALL = (ALL) ALL
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /usr/local/etc/sudoers.d
There is also a quite large example in HIERA_EXAMPLE.md based on the examples in sudoers(5), which will results in /etc/sudoers.d/example with content EXAMPLE.md
Reference
Table of Contents
Classes
Public Classes
sudo
: Installs and configures sudo
Private Classes
sudo::config
: Configures sudosudo::install
: Installs sudo
Classes
sudo
Installs and configures sudo
Examples
include sudo
Parameters
The following parameters are available in the sudo
class:
install_package
package_name
package_ensure
package_provider
sudoers
manage_sudoers
includedir
purge_includedir
includedir_mode
defaultmode
owner
group
use_includedir
conf
install_package
Data type: Boolean
Determines if package for sudo should be installed.
Default value: true
package_name
Data type: String[1]
The name of the package to install.
Default value: 'sudo'
package_ensure
Data type: String[1]
What value for 'ensure' to pass to resource type package.
Default value: 'present'
package_provider
Data type: Optional[String]
Override the default package provider.
Default value: undef
sudoers
Data type: Stdlib::Unixpath
The main configuration file for the sudoers plugin. Default is /usr/local/etc/sudoers on FreeBSD, and /etc/sudoers on all other osfamilies.
Default value: '/etc/sudoers'
manage_sudoers
Data type: Boolean
Manage the primary sudoers file if true.
Default value: true
includedir
Data type: Stdlib::Unixpath
The dropin directory for additional config files. Default is /usr/local/etc/sudoers.d on FreeBSD, and /etc/sudoers.d on all other osfamilies.
Default value: '/etc/sudoers.d'
purge_includedir
Data type: Boolean
Purge any files in $includedir not explicitly managed by this class.
Default value: false
includedir_mode
Data type: Stdlib::Filemode
The filemode for the includedir
Default value: '750'
defaultmode
Data type: Stdlib::Filemode
The mode for created files.
Default value: '440'
owner
Data type: String[1]
The owner for sudo configfiles.
Default value: 'root'
group
Data type: String[1]
The group for sudo configfiles.
Default value: 'root'
use_includedir
Data type: Boolean
Add entry for includedir to main sudoer file if true.
Default value: true
conf
Data type: Hash[String,Hash[String,Optional[Any]]]
This is the most important control-structure for configuring sudo. It consists of a hash with the first level key is the destination file (under $includedir), or the special value "_sudoers" for the content of the master sudoers file. There is a default content for this that differs for some os-families.
Default value: undef
0.1.3
Apr 3 2022
- Update README with request for feedback about default sudoers conf.
- Add some extra spectest for FreeBSD.
- Support for older puppet (5.5)
0.1.2
Mar 27 2022
- Add default sudoers config for Debian and Archlinux
- Improve documentation.
0.1.1
Mar 13 2022
- Add parameters purge_includedir, manage_sudoers
- Add default sudoers config for RedHat FreeBSD and Gentoo
Dependencies
- puppetlabs/stdlib (>= 5.0.0 < 9.0.0)