puppet augeas fails with sudoers in RHEL 7.4
419 views
Skip to first unread message
Fabrice Bacchella
Aug 25, 2017, 12:43:13 PM8/25/17
to Puppet Users
I've upgraded a test machin with Centos 7.4 CR
When I run puppet on it, configuring /etc/sudoers with augeas, I'm getting:
Warning: Augeas[sudoers include](provider=augeas): Loading failed for one or more files, see debug for /augeas//error output
augtool ls /augeas//error says :
pos = 2308
line = 65
char = 12
lens/ = /usr/share/augeas/lenses/dist/sudoers.aug:529.10-.70:
message = Iterated lens matched less than it should
Line 65 is:
Defaults match_group_by_gid
If I look at /usr/share/augeas/lenses/dist/sudoers.aug, I found:
let parameter_flag_kw = "always_set_home" | "authenticate" | "env_editor"
| "env_reset" | "fqdn" | "ignore_dot"
| "ignore_local_sudoers" | "insults" | "log_host"
| "log_year" | "long_otp_prompt" | "mail_always"
| "mail_badpass" | "mail_no_host" | "mail_no_perms"
| "mail_no_user" | "noexec" | "path_info"
| "passprompt_override" | "preserve_groups"
| "requiretty" | "root_sudo" | "rootpw" | "runaspw"
| "set_home" | "set_logname" | "setenv"
| "shell_noargs" | "stay_setuid" | "targetpw"
| "tty_tickets" | "visiblepw" | "closefrom_override"
| "closefrom_override" | "compress_io" | "fast_glob"
| "log_input" | "log_output" | "pwfeedback"
| "umask_override" | "use_pty"
When I run puppet on it, configuring /etc/sudoers with augeas, I'm getting:
Warning: Augeas[sudoers include](provider=augeas): Loading failed for one or more files, see debug for /augeas//error output
augtool ls /augeas//error says :
pos = 2308
line = 65
char = 12
lens/ = /usr/share/augeas/lenses/dist/sudoers.aug:529.10-.70:
message = Iterated lens matched less than it should
Line 65 is:
Defaults match_group_by_gid
If I look at /usr/share/augeas/lenses/dist/sudoers.aug, I found:
let parameter_flag_kw = "always_set_home" | "authenticate" | "env_editor"
| "env_reset" | "fqdn" | "ignore_dot"
| "ignore_local_sudoers" | "insults" | "log_host"
| "log_year" | "long_otp_prompt" | "mail_always"
| "mail_badpass" | "mail_no_host" | "mail_no_perms"
| "mail_no_user" | "noexec" | "path_info"
| "passprompt_override" | "preserve_groups"
| "requiretty" | "root_sudo" | "rootpw" | "runaspw"
| "set_home" | "set_logname" | "setenv"
| "shell_noargs" | "stay_setuid" | "targetpw"
| "tty_tickets" | "visiblepw" | "closefrom_override"
| "closefrom_override" | "compress_io" | "fast_glob"
| "log_input" | "log_output" | "pwfeedback"
| "umask_override" | "use_pty"
match_group_by_gid is missing I think.
David Lutterkort
Aug 27, 2017, 12:56:42 AM8/27/17
to Puppet Users
Hi Fabrice,
I just merged this change to the sudoers lens to address that. You can just overwrite the stock lens in /usr/share/augeas/lenses/dist/sudoers.aug with the updated lens, and things should just work.
David
I just merged this change to the sudoers lens to address that. You can just overwrite the stock lens in /usr/share/augeas/lenses/dist/sudoers.aug with the updated lens, and things should just work.
David
Fabrice Bacchella
Aug 27, 2017, 8:17:44 AM8/27/17
to puppet...@googlegroups.com
Thanks !
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/66d019bc-0554-48e3-a2dc-1b61e5f976b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Fabrice Bacchella
Oct 2, 2017, 5:03:56 AM10/2/17
to puppet...@googlegroups.com
Looking at Puppet 1.10.8, I see in /opt/puppetlabs/puppet/lib/pkgconfig/augeas.pc:
Version: 1.4.0
That version was released on june 2015/
But at https://github.com/hercules-team/augeas/releases, current augeas version is 1.8.1, and still don't include patch for that bug. It prevent upgrade to RHEL7.4. Any hop to get it corrected soon in the puppet agent ? Or should I try to implement a workaround, because at the same time, there is CVE-2017-1000253 that requires an upgrade to 7.4.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/77480E2A-BF98-4567-A536-4514CED03F41%40orange.fr.
Version: 1.4.0
That version was released on june 2015/
But at https://github.com/hercules-team/augeas/releases, current augeas version is 1.8.1, and still don't include patch for that bug. It prevent upgrade to RHEL7.4. Any hop to get it corrected soon in the puppet agent ? Or should I try to implement a workaround, because at the same time, there is CVE-2017-1000253 that requires an upgrade to 7.4.
David Lutterkort
Oct 2, 2017, 4:54:14 PM10/2/17
to puppet...@googlegroups.com
Hi Fabrice,
you can simply copy sudoers.aug from upstream to affected systems with a file resource until augeas 1.9.0 is released. I am not aware though that there are plans to rebase augeas for the 1.x series of puppet-agent; it'll show up in puppet-agent 5.x though.>> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/66d019bc-0554-48e3-a2dc-1b61e5f976b8%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/77480E2A-BF98-4567-A536-4514CED03F41%40orange.fr.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/IsAigbsPJ9o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ADEFCF63-15F5-4B95-8468-D2C01044FFA1%40orange.fr.
Reply all
Reply to author
Forward
0 new messages