Forge Home


A simple template to semantically manage allowed commands in sudoers.d


24,176 latest version

4.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.3 (latest)
  • 0.1.2
  • 0.1.1
  • 0.0.1
released Feb 6th 2017

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'phinze-sudoers', '0.1.3'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add phinze-sudoers
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install phinze-sudoers --version 0.1.3

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Tags: sudo, sudoers


phinze/sudoers — version 0.1.3 Feb 6th 2017


Puppet module for creating sudoers user specifications

Build Status


Using the Puppet Module Tool:

$ puppet module install phinze/sudoers

As a git submodule:

$ git submodule add modules/sudoers


The following puppet declaration:

sudoers::allowed_command{ "acme":
  command          => "/usr/sbin/service",
  user             => "acme",
  require_password => false,
  comment          => "Allows access to the service command for the acme user"

Creates the file:

# /etc/sudoers.d/acme
acme ALL=(root) NOPASSWD: /usr/sbin/service

As user 'acme' you can now run the service command without a password, eg:

$ sudo service rsyslog restart


The allowed_command type takes the following options (with defaults in brackets):

[*command*]               - the command you want to give access to, eg. '/usr/sbin/service'
[*filename*]              - the name of the file to be placed in /etc/sudoers.d/ ($title)
[*host*]                  - hosts which can run command (ALL)
[*run_as*]                - user to run the command as (root)
[*user*]                  - user to give access to
[*group*]                 - group to give access to
[*require_password*]      - require user to give password, setting to false sets 'NOPASSWD:' (true)
[*comment*]               - comment to add to the file
[*allowed_env_variables*] - allowed list of env variables ([])
[*require_exist*]         - Require the Group or User to exist. Setting this to false for example is needed if the user groups come from Active Directory. (true)
[*no_tty*]                - remove default tty requirement (false)