sudo

Manage sudo configuration via Puppet

123,099,856 downloads

7,285 latest version

5.0 quality score

Version information

  • 9.0.2 (latest)
  • 9.0.1
  • 9.0.0
  • 8.0.0
  • 7.0.2
  • 7.0.1
  • 7.0.0
  • 6.0.0
  • 5.0.0
  • 4.2.0
  • 4.1.0
  • 4.0.0
  • 3.1.0
  • 3.0.9
  • 3.0.8
  • 3.0.7
  • 3.0.6
  • 3.0.5
  • 3.0.4
  • 3.0.3
  • 3.0.2
  • 3.0.1
  • 3.0.0
  • 2.4.3
  • 2.4.2
  • 2.4.1
  • 2.4.0
  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.9
  • 2.0.8
  • 2.0.7
  • 2.0.6
  • 2.0.5
  • 2.0.4
  • 2.0.3
  • 2.0.2
  • 2.0.1
  • 2.0.0
  • 1.0.2
  • 1.0.1
  • 1.0.0
released Feb 28th 2025
This version is compatible with:
  • Puppet Enterprise 2025.4.x, 2025.3.x, 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • RedHat
    ,
    CentOS
    ,
    OracleLinux
    ,
    Debian
    ,
    Ubuntu
    , SmartOS, OmniOS, FreeBSD, OpenBSD, AIX, Darwin, Gentoo, Archlinux, Amazon, Suse,
    Solaris

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'saz-sudo', '9.0.2'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add saz-sudo
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install saz-sudo --version 9.0.2

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: sudo

Documentation

saz/sudo — version 9.0.2 Feb 28th 2025

sudo module for Puppet

Build Status

Manage sudo configuration via Puppet

Supported OS

Some family and some specific os are supported by this module

  • debian osfamily (debian, ubuntu, kali, ...)
  • redhat osfamily (redhat, centos, fedora, ...)
  • suse osfamily (suse, opensuse, ...)
  • solaris osfamily (Solaris, OmniOS, SmartOS, ...)
  • freebsd osfamily
  • openbsd osfamily
  • aix osfamily
  • darwin osfamily
  • gentoo operating system
  • archlinux operating system
  • amazon operating system

Usage

WARNING

This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,
    }

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,
    }

Use LDAP along with sudo

Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.

    class { 'sudo':
      ldap_enable => true,
    }

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    }
    sudo::conf { 'admins':
      priority => 10,
      content  => '%admins ALL=(ALL) NOPASSWD: ALL',
    }
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',
    }

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

  • YAML backend
  • an environment called production
  • a /etc/puppet/hiera.yaml hierarchy configuration:
:hierarchy:
  - "%{environment}"
  - "defaults"
Load module

Load the module via Puppet Code or your ENC.

    include sudo
Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

sudo::configs:
    'web':
        'source'    : 'puppet:///files/etc/sudoers.d/web'
    'admins':
        'content'   : '%admins ALL=(ALL) NOPASSWD: ALL'
        'priority'  : 10
    'joe':
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins configuration
  • removing the joe configuration
  • adding the bill template
lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
    'bill':
        'template'  : "mymodule/bill.erb"

In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins:content setting
  • inheriting/preserving the admins:priority setting
  • inheriting/preserving the joe:source and joe:priority settings
  • removing the joe configuration
  • adding the bill template
lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'joe':
        'ensure'    : 'absent'
    'bill':
        'template'  : "mymodule/bill.erb"
Override sudoers defaults

You can modify Default_Entry lines by passing a Hash to sudo::defaults, where the key is Defaults parameter name (see man 5 sudoers for more details):

sudo::defaults:
    lecture:
      value: always
    badpass_message:
      value: "Password is wrong, please try again"
    passwd_tries:
      value: 5
    insults:
    mailto:
      value: root@example.com
Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
	ensure          => "present",
	source          => "puppet:///modules/sudo/foreman-proxy",
	sudo_file_name  => "foreman-proxy",
}

sudo::conf / sudo::configs notes

  • One of content or source must be set.
  • Content may be an array, string will be added with return carriage after each element.
  • In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.

sudo class parameters

See REFERENCE.md

sudo::conf class / sudo::configs hash parameters

See REFERENCE.md