Managing sudo via puppet using #includedir
2,626 views
Skip to first unread message
treydock
Aug 1, 2011, 1:41:40 PM8/1/11
to Puppet Users
Is anyone having success with #includedir option in sudo? I have a
module that uses a definition to create files in /etc/sudoers.d/ which
is referenced in the main suders file as #includedir "/etc/sudoers",
but these entries are not getting referenced when sudo is used.
I'm running CentOS 5 and 6, which which sudo-1.7.2p1 and sudo-1.7.2p2
respectively.
Here's a weird symptom the problem I'm having...
# visudo -c -f /etc/sudoers.d/zabbix-puppet
>>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<
parse error in /etc/sudoers.d/zabbix-puppet near line 0
(((NOTE: I made absolutely no changes , just did ":q")))
# visudo -f /etc/sudoers.d/zabbix-puppet
>>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<
# visudo -c -f /etc/sudoers.d/zabbix-puppet
/etc/sudoers.d/zabbix-puppet: parsed OK
This is my sudoers file...
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use
%groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /
sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/
wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/
partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /
bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/
killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password
in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
## Defaults requiretty
#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files.
#
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"
# Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING,
PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
#includedir "/etc/sudoers.d"
And this is the /etc/sudoers.d/zabbix-puppet
zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
What's so strange is if I take that exact line, and put it in /etc/
sudoers , it works just fine. So I know the syntax and such is
correct, however it doesn't get called via #includedir.
Thanks
- Trey
module that uses a definition to create files in /etc/sudoers.d/ which
is referenced in the main suders file as #includedir "/etc/sudoers",
but these entries are not getting referenced when sudo is used.
I'm running CentOS 5 and 6, which which sudo-1.7.2p1 and sudo-1.7.2p2
respectively.
Here's a weird symptom the problem I'm having...
# visudo -c -f /etc/sudoers.d/zabbix-puppet
>>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<
parse error in /etc/sudoers.d/zabbix-puppet near line 0
(((NOTE: I made absolutely no changes , just did ":q")))
# visudo -f /etc/sudoers.d/zabbix-puppet
>>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<
# visudo -c -f /etc/sudoers.d/zabbix-puppet
/etc/sudoers.d/zabbix-puppet: parsed OK
This is my sudoers file...
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use
%groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /
sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/
wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/
partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /
bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/
killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password
in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
## Defaults requiretty
#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files.
#
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"
# Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING,
PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
#includedir "/etc/sudoers.d"
And this is the /etc/sudoers.d/zabbix-puppet
zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
What's so strange is if I take that exact line, and put it in /etc/
sudoers , it works just fine. So I know the syntax and such is
correct, however it doesn't get called via #includedir.
Thanks
- Trey
Len Rugen
Aug 1, 2011, 4:47:52 PM8/1/11
to puppet...@googlegroups.com
It's working here for RHEL 5 & 6. Check the owner and perms of sudoers.d, that's probably not your problem, but it's the only one we've had.
treydock
Aug 1, 2011, 5:49:51 PM8/1/11
to Puppet Users
From the sudoer docs it mentioned making the files in /etc/sudoers.d
be 440, but what about the folder? Here's the perms on /etc/sudoers.d
drwxr-xr-x 2 root root 4096 Jul 26 19:16 .
drwxr-xr-x. 64 root root 4096 Jul 26 19:16 ..
-r--r----- 1 root root 53 Jul 26 19:16 zabbix-puppet
- Trey
be 440, but what about the folder? Here's the perms on /etc/sudoers.d
drwxr-xr-x 2 root root 4096 Jul 26 19:16 .
drwxr-xr-x. 64 root root 4096 Jul 26 19:16 ..
-r--r----- 1 root root 53 Jul 26 19:16 zabbix-puppet
- Trey
Nathan Clemons
Aug 1, 2011, 5:56:10 PM8/1/11
to puppet...@googlegroups.com
These are the perms we're using for that functionality:
dr-xr-x--- 2 root root 4096 Jul 7 18:09 /etc/sudoers.d
Nathan Clemons
The worlds largest online language learning community
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
vagn scott
Aug 1, 2011, 7:35:23 PM8/1/11
to puppet...@googlegroups.com
On 08/01/2011 01:41 PM, treydock wrote:
> #includedir "/etc/sudoers.d"
>
> #includedir "/etc/sudoers.d"
>
Maybe without the quotation marks?
--
vagn
treydock
Aug 1, 2011, 7:59:53 PM8/1/11
to Puppet Users
Ok , so this was actually two problems...
The first , can't have quotes around the folder location in
#includedir...
Second is the way I was populating those files...
Here's the sudo module definition...
define sudo::directive (
$ensure=present,
$content="",
$source=""
) {
# sudo skipping file names that contain a "."
$dname = regsubst($name, '\.', '-', 'G')
file {"/etc/sudoers.d/${dname}":
ensure => $ensure,
owner => root,
group => root,
mode => 0440,
content => $content ? {
"" => undef,
default => $content,
},
source => $source ? {
"" => undef,
default => $source,
},
require => Package["sudo"],
}
}
The "content" method doesn't work, or at least not in the way I've
implemented it...
So this doesn't work...
sudo::directive { "zabbix-puppet":
ensure => present,
content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/
start_puppet",
#source => "puppet:///files/zabbix_sudocmd",
}
And this works...
sudo::directive { "zabbix-puppet":
ensure => present,
#content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/
start_puppet",
source => "puppet:///files/zabbix_sudocmd",
}
The file "zabbix_sudocmd" contains the same text as the "Content"
line, however it seems to not add a necessary new line character, as
this is the debug output from puppet when I change from "source" to
"content"...
debug: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/
File[/etc/sudoers.d/zabbix-puppet]/content: Executing 'diff -u /etc/
sudoers.d/zabbix-puppet /tmp/puppet-file20110801-18801-1wfv1td-0'
--- /etc/sudoers.d/zabbix-puppet 2011-08-01 18:45:16.248138294 -0500
+++ /tmp/puppet-file20110801-18801-1wfv1td-0 2011-08-01
18:53:53.566133754 -0500
@@ -1 +1 @@
-zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
+zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
\ No newline at end of file
debug: file_bucket_file supports formats: b64_zlib_yaml marshal pson
raw yaml; using yaml
info: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/
File[/etc/sudoers.d/zabbix-puppet]: Filebucketed /etc/sudoers.d/zabbix-
puppet to main with sum 2ecb3670db9e458970153bf00d64b325
notice: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/
File[/etc/sudoers.d/zabbix-puppet]/content: content changed '{md5}
2ecb3670db9e458970153bf00d64b325' to '{md5}
348da8bc5d9eacaf6334b092d95001eb'
Notice the "No newline at end of file"...
I can use "content" if I add a "\n" to the end of the line, which
doesn't seem like it should be necessary, but it works.
Thanks!!
- Trey
The first , can't have quotes around the folder location in
#includedir...
Second is the way I was populating those files...
Here's the sudo module definition...
define sudo::directive (
$ensure=present,
$content="",
$source=""
) {
# sudo skipping file names that contain a "."
$dname = regsubst($name, '\.', '-', 'G')
file {"/etc/sudoers.d/${dname}":
ensure => $ensure,
owner => root,
group => root,
mode => 0440,
content => $content ? {
"" => undef,
default => $content,
},
source => $source ? {
"" => undef,
default => $source,
},
require => Package["sudo"],
}
}
The "content" method doesn't work, or at least not in the way I've
implemented it...
So this doesn't work...
sudo::directive { "zabbix-puppet":
ensure => present,
content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/
start_puppet",
#source => "puppet:///files/zabbix_sudocmd",
}
And this works...
sudo::directive { "zabbix-puppet":
ensure => present,
#content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/
start_puppet",
source => "puppet:///files/zabbix_sudocmd",
}
The file "zabbix_sudocmd" contains the same text as the "Content"
line, however it seems to not add a necessary new line character, as
this is the debug output from puppet when I change from "source" to
"content"...
debug: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/
File[/etc/sudoers.d/zabbix-puppet]/content: Executing 'diff -u /etc/
sudoers.d/zabbix-puppet /tmp/puppet-file20110801-18801-1wfv1td-0'
--- /etc/sudoers.d/zabbix-puppet 2011-08-01 18:45:16.248138294 -0500
+++ /tmp/puppet-file20110801-18801-1wfv1td-0 2011-08-01
18:53:53.566133754 -0500
@@ -1 +1 @@
-zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
+zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
\ No newline at end of file
debug: file_bucket_file supports formats: b64_zlib_yaml marshal pson
raw yaml; using yaml
info: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/
File[/etc/sudoers.d/zabbix-puppet]: Filebucketed /etc/sudoers.d/zabbix-
puppet to main with sum 2ecb3670db9e458970153bf00d64b325
notice: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/
File[/etc/sudoers.d/zabbix-puppet]/content: content changed '{md5}
2ecb3670db9e458970153bf00d64b325' to '{md5}
348da8bc5d9eacaf6334b092d95001eb'
Notice the "No newline at end of file"...
I can use "content" if I add a "\n" to the end of the line, which
doesn't seem like it should be necessary, but it works.
Thanks!!
- Trey
Iain Sutton
Aug 3, 2011, 2:07:18 AM8/3/11
to puppet...@googlegroups.com
To add a newline, put the closing double quote on a new line.
content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet",
becomes
content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
",
Dan Carley
Aug 3, 2011, 5:08:11 AM8/3/11
to puppet...@googlegroups.com
On 3 August 2011 07:07, Iain Sutton <iains...@gmail.com> wrote:
To add a newline, put the closing double quote on a new line.
becomes
content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet",
content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet
",
Or, cleaner IMHO:
content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet\n",
Reply all
Reply to author
Forward
0 new messages