Forge Home

sudo

Manage sudo configuration via Puppet

123,020,689 downloads

1,640 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 9.0.0 (latest)
  • 8.0.0
  • 7.0.2
  • 7.0.1
  • 7.0.0
  • 6.0.0
  • 5.0.0
  • 4.2.0
  • 4.1.0
  • 4.0.0
  • 3.1.0
  • 3.0.9
  • 3.0.8
  • 3.0.7
  • 3.0.6
  • 3.0.5
  • 3.0.4
  • 3.0.3
  • 3.0.2
  • 3.0.1
  • 3.0.0
  • 2.4.3
  • 2.4.2
  • 2.4.1
  • 2.4.0
  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.9
  • 2.0.8
  • 2.0.7
  • 2.0.6
  • 2.0.5
  • 2.0.4
  • 2.0.3
  • 2.0.2
  • 2.0.1
  • 2.0.0
  • 1.0.2
  • 1.0.1
  • 1.0.0
released Oct 18th 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , , , SmartOS, OmniOS, FreeBSD, OpenBSD, AIX, Darwin, Gentoo, Archlinux, Amazon, Suse,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'saz-sudo', '9.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add saz-sudo
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install saz-sudo --version 9.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: sudo

Documentation

saz/sudo — version 9.0.0 Oct 18th 2024

sudo module for Puppet

Build Status

Manage sudo configuration via Puppet

Supported OS

Some family and some specific os are supported by this module

  • debian osfamily (debian, ubuntu, kali, ...)
  • redhat osfamily (redhat, centos, fedora, ...)
  • suse osfamily (suse, opensuse, ...)
  • solaris osfamily (Solaris, OmniOS, SmartOS, ...)
  • freebsd osfamily
  • openbsd osfamily
  • aix osfamily
  • darwin osfamily
  • gentoo operating system
  • archlinux operating system
  • amazon operating system

Usage

WARNING

This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,
    }

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,
    }

Use LDAP along with sudo

Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.

    class { 'sudo':
      ldap_enable => true,
    }

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    }
    sudo::conf { 'admins':
      priority => 10,
      content  => '%admins ALL=(ALL) NOPASSWD: ALL',
    }
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',
    }

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

  • YAML backend
  • an environment called production
  • a /etc/puppet/hiera.yaml hierarchy configuration:
:hierarchy:
  - "%{environment}"
  - "defaults"
Load module

Load the module via Puppet Code or your ENC.

    include sudo
Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

sudo::configs:
    'web':
        'source'    : 'puppet:///files/etc/sudoers.d/web'
    'admins':
        'content'   : '%admins ALL=(ALL) NOPASSWD: ALL'
        'priority'  : 10
    'joe':
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins configuration
  • removing the joe configuration
  • adding the bill template
lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
    'bill':
        'template'  : "mymodule/bill.erb"

In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins:content setting
  • inheriting/preserving the admins:priority setting
  • inheriting/preserving the joe:source and joe:priority settings
  • removing the joe configuration
  • adding the bill template
lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'joe':
        'ensure'    : 'absent'
    'bill':
        'template'  : "mymodule/bill.erb"
Override sudoers defaults

You can modify Default_Entry lines by passing a Hash to sudo::defaults, where the key is Defaults parameter name (see man 5 sudoers for more details):

sudo::defaults:
    lecture:
      value: always
    badpass_message:
      value: "Password is wrong, please try again"
    passwd_tries:
      value: 5
    insults:
    mailto:
      value: root@example.com
Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
    ensure          => "present",
    source          => "puppet:///modules/sudo/foreman-proxy",
    sudo_file_name  => "foreman-proxy",
}

sudo::conf / sudo::configs notes

  • One of content or source must be set.
  • Content may be an array, string will be added with return carriage after each element.
  • In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.

sudo class parameters

See REFERENCE.md

sudo::conf class / sudo::configs hash parameters

See REFERENCE.md