sudo module for Puppet

Manage sudo configuration via Puppet

Supported OS

Some family and some specific os are supported by this module

• debian osfamily (debian, ubuntu, kali, ...)
• redhat osfamily (redhat, centos, fedora, ...)
• suse osfamily (suse, opensuse, ...)
• solaris osfamily (Solaris, OmniOS, SmartOS, ...)
• freebsd osfamily
• openbsd osfamily
• aix osfamily
• darwin osfamily
• gentoo operating system
• archlinux operating system
• amazon operating system

Usage

WARNING

This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,
    }

Selective Purge of sudoers.d Directory

A combination of prefix, suffix and purge_ignore can be used to purge only files that puppet previously created. If suffix is specified all puppet created sudoers.d entries will have this suffix apprended to the thier file name. If prefix is specified all puppet created sudoers.d entries will have this prefix prepended. A ruby glob can be used as ignore to ignore all files that do not have this suffix.

    class{'sudo':
      suffix => '_puppet',
      purge_ignore => '*[!_puppet]',
    }

or

    class{'sudo':
      prefix => 'puppet_',
      purge_ignore => '[!puppet_]*',
    }

Due to limitations in ruby glob the prefix and ignore is recommended.

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,
    }

Use LDAP along with sudo

Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.

    class { 'sudo':
      ldap_enable => true,
    }

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    }
    sudo::conf { 'admins':
      priority => 10,
      content  => '%admins ALL=(ALL) NOPASSWD: ALL',
    }
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',
    }

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

• YAML backend
• an environment called production
• a /etc/puppet/hiera.yaml hierarchy configuration:

:hierarchy:
  - "%{environment}"
  - "defaults"

Load module

Load the module via Puppet Code or your ENC.

    include sudo

Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

sudo::configs:
    'web':
        'source'    : 'puppet:///files/etc/sudoers.d/web'
    'admins':
        'content'   : '%admins ALL=(ALL) NOPASSWD: ALL'
        'priority'  : 10
    'joe':
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'

Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

• inheriting/preserving the web configuration
• overriding the admins configuration
• removing the joe configuration
• adding the bill template

lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
    'bill':
        'template'  : "mymodule/bill.erb"

In this example we are:

• inheriting/preserving the web configuration
• overriding the admins:content setting
• inheriting/preserving the admins:priority setting
• inheriting/preserving the joe:source and joe:priority settings
• removing the joe configuration
• adding the bill template

lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'joe':
        'ensure'    : 'absent'
    'bill':
        'template'  : "mymodule/bill.erb"

Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
    ensure          => "present",
    source          => "puppet:///modules/sudo/foreman-proxy",
    sudo_file_name  => "foreman-proxy",
}

sudo::conf / sudo::configs notes

• One of content or source must be set.
• Content may be an array, string will be added with return carriage after each element.
• In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.

sudo class parameters

sudo::conf class / sudo::configs hash parameters

Reference

Table of Contents

Classes

Public Classes

• sudo: This module manages sudo
• sudo::allow: Creates a file in sudoers.d that permits specific users and groups to sudo.

Private Classes

• sudo::package: Installs the sudo package on various platforms.
• sudo::package::aix: Install the perzl.org sudo package. It also requires the openldap rpm. so we add a dependencies to the ldap module.
• sudo::package::solaris: install sudo under solaris 10/11.
• sudo::params: Params class for the sudo module

Defined types

• sudo::conf: Manages sudo configuration snippets

Classes

sudo

This module manages sudo

Examples

class { 'sudo': }

Parameters

The following parameters are available in the sudo class:

• enable
• package
• package_ldap
• package_ensure
• package_source
• package_provider
• package_admin_file
• purge
• purge_ignore
• suffix
• prefix
• config_file
• config_file_replace
• config_file_mode
• config_dir
• config_dir_mode
• extra_include_dirs
• content
• content_template
• content_string
• secure_path
• ldap_enable
• delete_on_error
• validate_single
• config_dir_keepme
• use_sudoreplay
• wheel_config
• sudoreplay_discard
• configs

enable

Data type: Boolean

Ensure if present or absent.

Default value: true

package

Data type: Optional[String[1]]

Name of the package. Only set this, if your platform is not supported or you know, what you're doing.

Default value: $sudo::params::package

package_ldap

Data type: Optional[String[1]]

Name of the package with ldap support, if ldap_enable is set.

Default value: $sudo::params::package_ldap

package_ensure

Data type: String[1]

Allows you to ensure a particular version of a package

Default value: $sudo::params::package_ensure

package_source

Data type: Optional[String[1]]

Where to find the package. Only set this on AIX (required) and Solaris (required), if your platform is not supported or you know, what you're doing.

Default value: $sudo::params::package_source

package_provider

Data type: Optional[String[1]]

Allows you to set a package provider.

Default value: $sudo::params::package_provider

package_admin_file

Data type: Optional[String[1]]

Where to find a Solaris 10 package admin file for an unattended installation. We do not supply a default file, so this has to be staged separately and is required on Solaris 10.

Default value: $sudo::params::package_admin_file

purge

Data type: Boolean

Whether or not to purge sudoers.d directory

Default value: true

purge_ignore

Data type: Optional[Variant[String[1], Array[String[1]]]]

Files to exclude from purging in sudoers.d directory

Default value: undef

suffix

Data type: Optional[String[1]]

Adds a custom suffix to all files created in sudoers.d directory.

Default value: undef

prefix

Data type: Optional[Pattern[/^[^.]+$/]]

Adds a custom prefix to all files created in sudoers.d directory.

Default value: undef

config_file

Data type: String[1]

Main configuration file. Only set this, if your platform is not supported or you know, what you're doing.

Default value: $sudo::params::config_file

config_file_replace

Data type: Boolean

Wether or not the config file should be replaced.

Default value: true

config_file_mode

Data type: String[1]

The mode to set on the config file.

Default value: $sudo::params::config_file_mode

config_dir

Data type: String[1]

Main directory containing sudo snippets, imported via includedir stanza in sudoers file

Default value: $sudo::params::config_dir

config_dir_mode

Data type: String[1]

The mode to set for the config directory.

Default value: $sudo::params::config_dir_mode

extra_include_dirs

Data type: Optional[Array[String[1]]]

Array of additional directories containing sudo snippets

Default value: undef

content

Data type: Optional[String[1]]

Alternate content template file location Deprecated, use content_template instead.

Default value: undef

content_template

Data type: Optional[String[1]]

Alternate content template file location Only set this, if your platform is not supported or you know, what you're doing. Note: some parameters won't work, if default template isn't used

Default value: undef

content_string

Data type: Optional[String[1]]

Alternate config file content string Note: some parameters won't work, if default template isn't used

Default value: undef

secure_path

Data type: Optional[String[1]]

The secure_path variable in sudoers.

Default value: $sudo::params::secure_path

ldap_enable

Data type: Boolean

Enable ldap support on the package

Default value: false

delete_on_error

Data type: Boolean

True if you want that the configuration is deleted on an error during a complete visudo -c run. If false it will just return an error and will add a comment to the sudoers configuration so that the resource will be checked at the following run.

Default value: true

validate_single

Data type: Boolean

Do a validate on the "single" file in the sudoers.d directory. If the validate fail the file will not be saved or changed if a file already exist.

Default value: false

config_dir_keepme

Data type: Boolean

Add a .keep-me file to the config dir

Default value: $sudo::params::config_dir_keepme

use_sudoreplay

Data type: Boolean

Boolean to enable the usage of sudoreplay.

Default value: false

wheel_config

Data type: Enum['absent','password','nopassword']

How to configure the wheel group in /etc/sudoers Options are either not to configure it it, configure it prompting for password, or configuring it without password prompt.

Default value: $sudo::params::wheel_config

sudoreplay_discard

Data type: Optional[Array[String[1]]]

Array of additional command to discard in sudo log.

Default value: undef

configs

Data type: Hash

A hash of sudo::conf's

Default value: {}

sudo::allow

This class allows you to take complete advantage of automatic parameter lookup using a Hiera database. Providing a singleton class that accepts arrays in the parameters makes it possible to implement specific user or group configuration in Hiera, whereas the use of defined types is normally restricted to Puppet manifests.

Furthermore, having separate parameters for "add" and "replace" modes allows you to take full advantage of inheritance in the Hiera database while still allowing for exceptions if required.

Examples

class { 'sudo::allow':
  add_users  => ['jsmith'],
  add_groups => ['wheel'],
}

Parameters

The following parameters are available in the sudo::allow class:

• add_users
• add_groups
• replace_users
• replace_groups

add_users

Data type: Array

Define the set of users with sudo privileges by getting all values in the hierarchy for this key, then flattening them into a single array of unique values.

Default value: []

add_groups

Data type: Array

Define the set of groups with sudo privileges by getting all values in the hierarchy for this key, then flattening them into a single array of unique values.

Default value: []

replace_users

Data type: Optional[Array]

Override any values specified in add_users. If you specify this value in your manifest or Hiera database, the contents of "add_users" will be ignored. With Hiera, a standard priority lookup is used. Note that if replace_users is specified at ANY level of the hierarchy, then add_users is ignored at EVERY level of the hierarchy.

Default value: undef

replace_groups

Data type: Optional[Array]

Override any values specified in add_groups. If you specify this value in your manifest or Hiera database, the contents of "add_groups" will be ignored. With Hiera, a standard priority lookup is used. Note that if replace_groups is specified at ANY level of the hierarchy, then add_groups is ignored at EVERY level of the hierarchy.

Default value: undef

Defined types

sudo::conf

Define: sudo::conf

Examples

sudo::conf { 'admins':
  source => 'puppet:///files/etc/sudoers.d/admins',
}

Parameters

The following parameters are available in the sudo::conf defined type:

• ensure
• priority
• content
• source
• template
• sudo_config_dir
• sudo_file_name
• sudo_syntax_path

ensure

Data type: Any

Ensure if present or absent

Default value: present

priority

Data type: Any

Prefix file name with $priority

Default value: 10

content

Data type: Any

Content of configuration snippet

Default value: undef

source

Data type: Any

Source of configuration snippet

Default value: undef

template

Data type: Any

Path of a template file

Default value: undef

sudo_config_dir

Data type: Any

Where to place configuration snippets. Only set this, if your platform is not supported or you know, what you're doing.

Default value: undef

sudo_file_name

Data type: Any

Set a custom file name for the snippet

Default value: undef

sudo_syntax_path

Data type: Any

Path to use for executing the sudo syntax check

Default value: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[8.0.0]

Breaking changes

• drop support for puppet6 (#295)
• replace ensure_packages() with package (#295)

Removed

• stdlib is no longer a dependency, as the only usage (ensure_packages) was removed
• Drop EoL Debian 9 (#294)

Added

• add data types and doc strings to most manifests (#285)
• Add puppet 8 support (#294)
• add some newer OS releaseas (#295)
• Add prefix parameter to prefix all sudoers.d entries (#261)

Fixed

• Restore format and behavior prior to adding wheel_config parameter (#278)

[7.0.2]

Added

• Allow stdlib < 9.0.0

[7.0.1]

Fixed

• Fix duplicate variable declaration (#274)

[7.0.0]

Breaking changes

• Support Puppet >= 6.1.0

Added

• Added secure_path parameter (#270)
• Added package_provider parameter (#241)
• Added wheel_config parameter (#271)
• Added support for Manjarolinux (#244)
• Template for RHEL 8 added (#247)
• Added suffix parameter (#248)

Changed

• Migrated to Github Actions
• Replaced travis-ci badge with Github Actions badge
• Bumped stdlib dependency to < 8.0.0

Fixed

• sudoversion fact should not run on Windows (#259)
• docs: ignore parameter has been renamed to purge_ignore
• Removed extra % in sudo::allow template (#242)
• Fixed AIX default package source (#240)

[6.0.0]

Breaking changes

• Remove sudo::configs, move hiera lookups to init.pp (#228)

Fixed

• Do not ensure package, when it's undefined (#213)
• Fix regex matching rhel 5.1 to 5.4 only (#217)
• Add systemctl commands back to SERVICES alias (#224, #225)

Added

• Add Puppet 6 to travis checks
• Allow usage of sudoreplay (#231)

Changed

• Let $purge_ignore accept an array of strings (#211)
• Update Puppet version requirement to include version 6 (#230, #234)

Removed

• Drop Ruby 2.1 from travis checks