Version information
This version is compatible with:
- Puppet Enterprise 2025.4.x, 2025.3.x, 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- RedHat,CentOS,OracleLinux,Debian,Ubuntu, SmartOS, OmniOS, FreeBSD, OpenBSD, AIX, Darwin, Gentoo, Archlinux, Amazon, Suse,Solaris
Start using this module
Add this module to your Puppetfile:
mod 'saz-sudo', '9.0.2'Learn more about managing modules with a PuppetfileDocumentation
sudo module for Puppet
Manage sudo configuration via Puppet
Supported OS
Some family and some specific os are supported by this module
- debian osfamily (debian, ubuntu, kali, ...)
- redhat osfamily (redhat, centos, fedora, ...)
- suse osfamily (suse, opensuse, ...)
- solaris osfamily (Solaris, OmniOS, SmartOS, ...)
- freebsd osfamily
- openbsd osfamily
- aix osfamily
- darwin osfamily
- gentoo operating system
- archlinux operating system
- amazon operating system
Usage
WARNING
This module will purge your current sudo config
If this is not what you're expecting, set purge and/or config_file_replace to false
Install sudo with default sudoers
Purge current sudo config
class { 'sudo': }
Purge sudoers.d directory, but leave sudoers file as it is
class { 'sudo':
config_file_replace => false,
}
Leave current sudo config as it is
class { 'sudo':
purge => false,
config_file_replace => false,
}
Use LDAP along with sudo
Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.
class { 'sudo':
ldap_enable => true,
}
Adding sudoers configuration
Using Code
class { 'sudo': }
sudo::conf { 'web':
source => 'puppet:///files/etc/sudoers.d/web',
}
sudo::conf { 'admins':
priority => 10,
content => '%admins ALL=(ALL) NOPASSWD: ALL',
}
sudo::conf { 'joe':
priority => 60,
source => 'puppet:///files/etc/sudoers.d/users/joe',
}
Using Hiera
A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.
Examples using:
- YAML backend
- an environment called production
- a /etc/puppet/hiera.yaml hierarchy configuration:
:hierarchy:
- "%{environment}"
- "defaults"
Load module
Load the module via Puppet Code or your ENC.
include sudo
Configure Hiera YAML (defaults.yaml)
These defaults will apply to all systems.
sudo::configs:
'web':
'source' : 'puppet:///files/etc/sudoers.d/web'
'admins':
'content' : '%admins ALL=(ALL) NOPASSWD: ALL'
'priority' : 10
'joe':
'priority' : 60
'source' : 'puppet:///files/etc/sudoers.d/users/joe'
Configure Hiera YAML (production.yaml)
This will only apply to the production environment. In this example we are:
- inheriting/preserving the web configuration
- overriding the admins configuration
- removing the joe configuration
- adding the bill template
lookup_options:
sudo::configs:
merge:
strategy: deep
merge_hash_arrays: true
sudo::configs:
'admins':
'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'priority' : 10
'joe':
'ensure' : 'absent'
'source' : 'puppet:///files/etc/sudoers.d/users/joe'
'bill':
'template' : "mymodule/bill.erb"
In this example we are:
- inheriting/preserving the web configuration
- overriding the admins:content setting
- inheriting/preserving the admins:priority setting
- inheriting/preserving the joe:source and joe:priority settings
- removing the joe configuration
- adding the bill template
lookup_options:
sudo::configs:
merge:
strategy: deep
merge_hash_arrays: true
sudo::configs:
'admins':
'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'joe':
'ensure' : 'absent'
'bill':
'template' : "mymodule/bill.erb"
Override sudoers defaults
You can modify Default_Entry lines by passing a Hash to sudo::defaults, where the key is Defaults parameter name (see man 5 sudoers for more details):
sudo::defaults:
lecture:
value: always
badpass_message:
value: "Password is wrong, please try again"
passwd_tries:
value: 5
insults:
mailto:
value: root@example.com
Set a custom name for the sudoers file
In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.
sudo::conf { "foreman-proxy":
ensure => "present",
source => "puppet:///modules/sudo/foreman-proxy",
sudo_file_name => "foreman-proxy",
}
sudo::conf / sudo::configs notes
- One of content or source must be set.
- Content may be an array, string will be added with return carriage after each element.
- In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.
sudo class parameters
See REFERENCE.md
sudo::conf class / sudo::configs hash parameters
See REFERENCE.md
Reference
Table of Contents
Classes
Public Classes
sudo: This module manages sudosudo::allow: Creates a file in sudoers.d that permits specific users and groups to sudo.
Private Classes
sudo::package: Installs the sudo package on various platforms.sudo::package::aix: Install the perzl.org sudo package. It also requires the openldap rpm. so we add a dependencies to the ldap module.sudo::package::solaris: install sudo under solaris 10/11.sudo::params: Params class for the sudo module
Defined types
sudo::conf: Manages sudo configuration snippets
Functions
sudo::defaults: Formats sudoers defaults config see https://linux.die.net/man/5/sudoers Default_Type ::= 'Defaults' | 'Defaults' '@
Data types
Sudo::Defaults: sudo defaultsSudo::Defaults_operator: custom datatype that validates sudo defaults operators
Classes
sudo
This module manages sudo
Examples
class { 'sudo': }
Parameters
The following parameters are available in the sudo class:
enablepackagepackage_managepackage_ldappackage_ensurepackage_sourcepackage_providerpackage_admin_filepurgepurge_ignoresuffixprefixconfig_fileconfig_file_replaceconfig_file_modeconfig_dirconfig_dir_modeextra_include_dirscontentcontent_templatecontent_stringsecure_pathldap_enabledelete_on_errorvalidate_singleconfig_dir_keepmeuse_sudoreplaywheel_configsudoreplay_discardconfigsdefaults
enable
Data type: Boolean
Ensure if present or absent.
Default value: true
package
Data type: Optional[String[1]]
Name of the package. Only set this, if your platform is not supported or you know, what you're doing.
Default value: $sudo::params::package
package_manage
Data type: Boolean
Whether or not to manage the sudo package.
Default value: true
package_ldap
Data type: Optional[String[1]]
Name of the package with ldap support, if ldap_enable is set.
Default value: $sudo::params::package_ldap
package_ensure
Data type: String[1]
Allows you to ensure a particular version of a package
Default value: $sudo::params::package_ensure
package_source
Data type: Optional[String[1]]
Where to find the package. Only set this on AIX (required) and Solaris (required), if your platform is not supported or you know, what you're doing.
Default value: $sudo::params::package_source
package_provider
Data type: Optional[String[1]]
Allows you to set a package provider.
Default value: $sudo::params::package_provider
package_admin_file
Data type: Optional[String[1]]
Where to find a Solaris 10 package admin file for an unattended installation. We do not supply a default file, so this has to be staged separately and is required on Solaris 10.
Default value: $sudo::params::package_admin_file
purge
Data type: Boolean
Whether or not to purge sudoers.d directory
Default value: true
purge_ignore
Data type: Optional[Variant[String[1], Array[String[1]]]]
Files to exclude from purging in sudoers.d directory
Default value: undef
suffix
Data type: Optional[String[1]]
Adds a custom suffix to all files created in sudoers.d directory.
Default value: undef
prefix
Data type: Optional[Pattern[/^[^.]+$/]]
Adds a custom prefix to all files created in sudoers.d directory.
Default value: undef
config_file
Data type: String[1]
Main configuration file. Only set this, if your platform is not supported or you know, what you're doing.
Default value: $sudo::params::config_file
config_file_replace
Data type: Boolean
Wether or not the config file should be replaced.
Default value: true
config_file_mode
Data type: String[1]
The mode to set on the config file.
Default value: $sudo::params::config_file_mode
config_dir
Data type: String[1]
Main directory containing sudo snippets, imported via includedir stanza in sudoers file
Default value: $sudo::params::config_dir
config_dir_mode
Data type: String[1]
The mode to set for the config directory.
Default value: $sudo::params::config_dir_mode
extra_include_dirs
Data type: Optional[Array[String[1]]]
Array of additional directories containing sudo snippets
Default value: undef
content
Data type: Optional[String[1]]
Alternate content template file location Deprecated, use content_template instead.
Default value: undef
content_template
Data type: Optional[String[1]]
Alternate content template file location Only set this, if your platform is not supported or you know, what you're doing. Note: some parameters won't work, if default template isn't used
Default value: undef
content_string
Data type: Optional[String[1]]
Alternate config file content string Note: some parameters won't work, if default template isn't used
Default value: undef
secure_path
Data type: Optional[String[1]]
The secure_path variable in sudoers.
Default value: $sudo::params::secure_path
ldap_enable
Data type: Boolean
Enable ldap support on the package
Default value: false
delete_on_error
Data type: Boolean
True if you want that the configuration is deleted on an error during a complete visudo -c run. If false it will just return an error and will add a comment to the sudoers configuration so that the resource will be checked at the following run.
Default value: true
validate_single
Data type: Boolean
Do a validate on the "single" file in the sudoers.d directory. If the validate fail the file will not be saved or changed if a file already exist.
Default value: false
config_dir_keepme
Data type: Boolean
Add a .keep-me file to the config dir
Default value: $sudo::params::config_dir_keepme
use_sudoreplay
Data type: Boolean
Boolean to enable the usage of sudoreplay.
Default value: false
wheel_config
Data type: Enum['absent','password','nopassword']
How to configure the wheel group in /etc/sudoers Options are either not to configure it it, configure it prompting for password, or configuring it without password prompt.
Default value: $sudo::params::wheel_config
sudoreplay_discard
Data type: Optional[Array[String[1]]]
Array of additional command to discard in sudo log.
Default value: undef
configs
Data type: Hash
A hash of sudo::conf's
Default value: {}
defaults
Data type: Sudo::Defaults
Default value: $sudo::params::defaults
sudo::allow
This class allows you to take complete advantage of automatic parameter lookup using a Hiera database. Providing a singleton class that accepts arrays in the parameters makes it possible to implement specific user or group configuration in Hiera, whereas the use of defined types is normally restricted to Puppet manifests.
Furthermore, having separate parameters for "add" and "replace" modes allows you to take full advantage of inheritance in the Hiera database while still allowing for exceptions if required.
Examples
class { 'sudo::allow':
add_users => ['jsmith'],
add_groups => ['wheel'],
}
Parameters
The following parameters are available in the sudo::allow class:
add_users
Data type: Array
Define the set of users with sudo privileges by getting all values in the hierarchy for this key, then flattening them into a single array of unique values.
Default value: []
add_groups
Data type: Array
Define the set of groups with sudo privileges by getting all values in the hierarchy for this key, then flattening them into a single array of unique values.
Default value: []
replace_users
Data type: Optional[Array]
Override any values specified in add_users. If you specify this value in your manifest or Hiera database, the contents of "add_users" will be ignored. With Hiera, a standard priority lookup is used. Note that if replace_users is specified at ANY level of the hierarchy, then add_users is ignored at EVERY level of the hierarchy.
Default value: undef
replace_groups
Data type: Optional[Array]
Override any values specified in add_groups. If you specify this value in your manifest or Hiera database, the contents of "add_groups" will be ignored. With Hiera, a standard priority lookup is used. Note that if replace_groups is specified at ANY level of the hierarchy, then add_groups is ignored at EVERY level of the hierarchy.
Default value: undef
Defined types
sudo::conf
Define: sudo::conf
Examples
sudo::conf { 'admins':
source => 'puppet:///files/etc/sudoers.d/admins',
}
Parameters
The following parameters are available in the sudo::conf defined type:
ensure
Data type: Enum['present', 'absent']
Ensure if present or absent
Default value: present
priority
Data type: Variant[String[1], Integer[0]]
Prefix file name with $priority
Default value: 10
content
Data type: Optional[Variant[Array[String[1]], String[1]]]
Content of configuration snippet
Default value: undef
source
Data type: Optional[String[1]]
Source of configuration snippet
Default value: undef
template
Data type: Optional[String[1]]
Path of a template file
Default value: undef
sudo_config_dir
Data type: Optional[String[1]]
Where to place configuration snippets. Only set this, if your platform is not supported or you know, what you're doing.
Default value: undef
sudo_file_name
Data type: Optional[String[1]]
Set a custom file name for the snippet
Default value: undef
sudo_syntax_path
Data type: String[1]
Path to use for executing the sudo syntax check
Default value: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
Functions
sudo::defaults
Type: Ruby 4.x API
Formats sudoers defaults config see https://linux.die.net/man/5/sudoers
Default_Type ::= 'Defaults' |
'Defaults' '@' Host_List |
'Defaults' ':' User_List |
'Defaults' '!' Cmnd_List |
'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List
Parameter_List ::= Parameter |
Parameter ',' Parameter_List
Parameter ::= Parameter '=' Value |
Parameter '+=' Value |
Parameter '-=' Value |
'!'* Parameter
The function is passed an Array of Tuples e.g. [["env_reset", nil]] [["mailto", {"value" => root}]]
sudo::defaults(Any *$args)
Formats sudoers defaults config see https://linux.die.net/man/5/sudoers
Default_Type ::= 'Defaults' |
'Defaults' '@' Host_List |
'Defaults' ':' User_List |
'Defaults' '!' Cmnd_List |
'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List
Parameter_List ::= Parameter |
Parameter ',' Parameter_List
Parameter ::= Parameter '=' Value |
Parameter '+=' Value |
Parameter '-=' Value |
'!'* Parameter
The function is passed an Array of Tuples e.g. [["env_reset", nil]] [["mailto", {"value" => root}]]
Returns: String
*args
Data type: Any
Data types
Sudo::Defaults
sudo defaults
Alias of
Hash[String, Variant[Struct[{
Optional[list] => String,
Optional[operator] => Sudo::Defaults_operator,
Optional[value] => Variant[String,Numeric],
}], Undef]]
Sudo::Defaults_operator
custom datatype that validates sudo defaults operators
Alias of Enum['=', '+=', '-=', '!']
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[9.0.2]
Fixed
- allow String as type for priority in sudo::conf
[9.0.1]
Fixed
- Cleanup old OSes leftovers (#314)
- Fix defaults functions for key-only configs (#317)
- Revert "Include defaults as last line on all platforms" (#319)
[9.0.0]
Breaking changes
- Drop EoL RedHat, CentOS, Debian releases (#307, #311)
- Drop Scientific from supported OS (#311)
Added
- add package_manage param (#299)
- Add support for RedHat 9 (#301)
- add types in sudo::conf (#306)
Fixed
- remove purge_ignore example from README, as it is not working as documented (#303)
- use sudo::defaults in rhel9 template, fix tests (#304)
- Remove parameters from README.md, mention REFERENCE.md, fixes #197 (#305)
[8.0.0]
Breaking changes
- drop support for puppet6 (#295)
- replace ensure_packages() with package (#295)
Removed
- stdlib is no longer a dependency, as the only usage (ensure_packages) was removed
- Drop EoL Debian 9 (#294)
Added
- add data types and doc strings to most manifests (#285)
- Add puppet 8 support (#294)
- add some newer OS releaseas (#295)
- Add prefix parameter to prefix all sudoers.d entries (#261)
Fixed
- Restore format and behavior prior to adding wheel_config parameter (#278)
[7.0.2]
Added
- Allow stdlib < 9.0.0
[7.0.1]
Fixed
- Fix duplicate variable declaration (#274)
[7.0.0]
Breaking changes
- Support Puppet >= 6.1.0
Added
- Added secure_path parameter (#270)
- Added package_provider parameter (#241)
- Added wheel_config parameter (#271)
- Added support for Manjarolinux (#244)
- Template for RHEL 8 added (#247)
- Added suffix parameter (#248)
Changed
- Migrated to Github Actions
- Replaced travis-ci badge with Github Actions badge
- Bumped stdlib dependency to < 8.0.0
Fixed
- sudoversion fact should not run on Windows (#259)
- docs:
ignoreparameter has been renamed topurge_ignore - Removed extra % in sudo::allow template (#242)
- Fixed AIX default package source (#240)
[6.0.0]
Breaking changes
- Remove sudo::configs, move hiera lookups to init.pp (#228)
Fixed
- Do not ensure package, when it's undefined (#213)
- Fix regex matching rhel 5.1 to 5.4 only (#217)
- Add systemctl commands back to SERVICES alias (#224, #225)
Added
- Add Puppet 6 to travis checks
- Allow usage of sudoreplay (#231)
Changed
- Let $purge_ignore accept an array of strings (#211)
- Update Puppet version requirement to include version 6 (#230, #234)
Removed
- Drop Ruby 2.1 from travis checks
Copyright 2012 Steffen Zieger
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.