Version information
This version is compatible with:
- Puppet Enterprise 2025.3.x, 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
- Puppet >= 5.5.0
- Gentoo, CentOS, RedHat, Debian, Archlinux, FreeBSD
Start using this module
Add this module to your Puppetfile:
mod 'chrekh-sudo', '1.0.1'Learn more about managing modules with a PuppetfileDocumentation
sudo
Puppet module for configuring sudo.
Table of Contents
- Description
- Usage - Configuration options and additional functionality
- Example - Hiera example of sudo configuration
Description
Installs and configures sudo.
This modules can configure most features described in sudoers(5), both in the master sudoers file, and in separate files located in a includedir (/etc/sudoers.d). My motivation for creating this module even when there is several modules for sudo available already, is to be able to to generate all possible sudoers(5) content, using structured data merged from possibly several hiera levels.
Note that even if the individual files created are validated using $sudo::validate_cmd there is no guarantee that the resulting sudo configuration doesn't contain syntax errors that breaks sudo.
Usage
class { 'sudo': }
The main feature is located in a single hash provided to sudo as parameter conf. This is possible to specify either as class-parameter or hieradata.
The keys in $sudo::conf is what file to write configurations to, the special key '_sudoers' is used for the main sudo configuration file $sudo::sudoers (normally '/etc/sudoers'), other keys specifies files to create under $sudo::includedir (normally /etc/sudoers.d)
The value for $sudo::conf[file] can be one of:
- mode, File permission mode for the file, default $sudo::defaultmode
- defaults, Defaults specifications as described by sudoers(5)
- user_alias, A hash whith array of users.
- runas_alias, A hash with array of target users.
- host_alias, A hash with array of hosts.
- cmnd_alias, A hash with array of commands.
- user_specs, A array of hashes with user specs with
- users: Array of users
- runas: Hash of target user & group
- options: Array of options
- commands: Array of commands
Note about default value for sudo::conf[_sudoers]
The default value for sudo::conf[_sudoers] only contains the rule to allow root to run sudo. Which means that unless you provide configuration for sudo::conf[_sudoers] the main sudoers file will be cleared (except for root and the include directive if sudo::use_includedir is true) wiping whatever your OS/Distribution have provided.
My arguments against providing a distribution-specific defaults is:
-
It's easier to maintain a consistent sudoers configuration in a environment consistiong of multiple distributions.
-
By not having any settings in main sudoers file the defaults are determined by the installed sudo package, and is well documented in sudoers(5).
-
Future changes made by distributions would not be included unless I regularly adapted them here also.
Hiera example
---
lookup_options:
sudo::conf:
merge:
strategy: deep
sudo::conf:
_sudoers:
defaults:
- Defaults:
- insults
- '!always_set_home'
This will result in sudoers file containing.
## Managed by puppet class sudo
## Do not edit
# Override built-in defaults
Defaults insults, !always_set_home
# User specification
root ALL = (ALL:ALL) ALL
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
There is also a quite large example in HIERA_EXAMPLE.md based on the examples in sudoers(5), which will results in /etc/sudoers.d/example with content EXAMPLE.md
Reference
Table of Contents
Classes
Public Classes
sudo: Installs and configures sudo
Private Classes
sudo::config: Configures sudosudo::install: Installs sudo
Classes
sudo
Installs and configures sudo
Examples
include sudo
Parameters
The following parameters are available in the sudo class:
install_packagepackage_namepackage_ensurepackage_providersudoersmanage_sudoersincludedirpurge_includedirincludedir_modedefaultmodeownergroupuse_includedirvalidate_cmdconf
install_package
Data type: Boolean
Determines if package for sudo should be installed.
Default value: true
package_name
Data type: String[1]
The name of the package to install.
Default value: 'sudo'
package_ensure
Data type: String[1]
What value for 'ensure' to pass to resource type package.
Default value: 'present'
package_provider
Data type: Optional[String]
Override the default package provider.
Default value: undef
sudoers
Data type: Stdlib::Unixpath
The main configuration file for the sudoers plugin. Default is /usr/local/etc/sudoers on FreeBSD, and /etc/sudoers on all other osfamilies.
Default value: '/etc/sudoers'
manage_sudoers
Data type: Boolean
Manage the primary sudoers file if true.
Default value: true
includedir
Data type: Stdlib::Unixpath
The dropin directory for additional config files. Default is /usr/local/etc/sudoers.d on FreeBSD, and /etc/sudoers.d on all other osfamilies.
Default value: '/etc/sudoers.d'
purge_includedir
Data type: Boolean
Purge any files in $includedir not explicitly managed by this class.
Default value: false
includedir_mode
Data type: Stdlib::Filemode
The filemode for the includedir
Default value: '0750'
defaultmode
Data type: Stdlib::Filemode
The mode for created files.
Default value: '0440'
owner
Data type: String[1]
The owner for sudo configfiles.
Default value: 'root'
group
Data type: String[1]
The group for sudo configfiles.
Default value: 'root'
use_includedir
Data type: Boolean
Add entry for includedir to main sudoer file if true.
Default value: true
validate_cmd
Data type: String[1]
Command used to check created sudoers files for syntax errors.
Default value: '/sbin/visudo -sc %'
conf
Data type: Hash[String,Hash[String,Optional[Any]]]
This is the most important control-structure for configuring sudo. It consists of a hash with the first level key is the destination file (under $includedir), or the special value "_sudoers" for the content of the master sudoers file. There is a default content for this that permits root to run sudo.
Default value: { '_sudoers' => {} }
1.0.1
Mar 25 2023
- Add syntax validation using visudo -c
1.0.0
Mar 19 2023
- Don't provide distribution specific defaults sudoers.conf
0.1.3
Apr 3 2022
- Update README with request for feedback about default sudoers conf.
- Add some extra spectest for FreeBSD.
- Support for older puppet (5.5)
0.1.2
Mar 27 2022
- Add default sudoers config for Debian and Archlinux
- Improve documentation.
0.1.1
Mar 13 2022
- Add parameters purge_includedir, manage_sudoers
- Add default sudoers config for RedHat FreeBSD and Gentoo
Dependencies
- puppetlabs/stdlib (>= 5.0.0 < 9.0.0)