puppetlabs-inifile versus sudoers

30 views
Skip to first unread message

warron.french

unread,
Apr 26, 2017, 10:14:34 PM4/26/17
to puppet...@googlegroups.com
Does it make sense to use the puppetlabs-inifile module when trying to modify the /etc/sudoers file?

From my observations, the /etc/sudoers file isn't exactly laid out in an ini-stylized configuration; like the /etc/smb.conf is.

Comments welcomed.
--------------------------
Warron French

James Perry

unread,
Apr 28, 2017, 9:45:38 AM4/28/17
to Puppet Users
As I have very recently dug into modifying sudoers myself, you may want to look at the saz/sudo module at Puppet Forge.   It allows you to do a lot of different methods to create a sudoers file that fits the supported OS. 

If you want to just do edits, you may want to look at the stdlib - file_line type. There are examples for it that show sudoers specifically.  

In my environment I am using the file_line with a matcher with a regular expression to change the directory colors from dark blue to the lighter blue.  

class os_config::ls_dir_color ($dir_default_color = '01;34') {
  # This is used to change the DIR color from dark blue to a brighter blue to
  # see it on a black background
  # It will use the file_line
  include stdlib

  file_line { 'dir_colors':
    path    => '/etc/DIR_COLORS',
    line    => "DIR ${dir_default_color} # directory",
    match   => '^DIR\s*.*',
    replace => true,
  }

For sudoers you could do that to check if the line already exists to remove it with ensure => absent or add it with ensure => present. Since I'm using Foreman as a front-end to Puppet I use the smart parameters that I can override on a host by host basis when needed.  Here is a pseudo code snippet that may do something like what you want.

class sudo::add_dba_perm ($ensure = 'present', $dba_perm_line = '%dba ALL=ALL NOPASSWD: ALL') {
  include stdlib

  file_line { 'sudo_dba':
    path    => '/etc/sudoers',
    ensure => $ensure,
    line    => $dba_perm_line,
    match   => '^%dba\s*.*',
    replace => true,
  }

Now I haven't coded or tested the above, but theoretically something coded along these lines should work. As I don't yet have a full grasp on doing defines and create_resources, I have to stay basic in my coding. 

Hope this helps. 

Warron French

unread,
May 3, 2017, 6:02:59 PM5/3/17
to Puppet Users
James, thanks for the reply.  I didn't actually receive this message in my Gmail mailbox for some reason.  I logged into groups.google.com and found that you had replied.

Anyway, now that I have read your input, I will mull it all over in my head.

Thanks again,
Warron
Reply all
Reply to author
Forward
0 new messages