sudoers module does not support host restrictions

[loz-hurst]

Summary

Currently the sudoers module is hardcoded to set the host to the magic value ALL:

return "{owner} ALL={runas}{nopasswd} {commands}\n".format(owner=owner, runas=runas_str, nopasswd=nopasswd_str, commands=commands_str)

This is a problem for me in two different scenarios I have:

1. Some network booted (diskless) systems with a shared /etc/sudoers.d (network) filesystem using the host restrictions to constrain which commands are permitted on which host
2. A security policy that requires specifying the host to mitigate the risk of inappropriate escalation being possible if the file is inadvertently copied to the wrong host (e.g. via poorly aimed scp, restoring the wrong host's /etc/sudoers.d from backup or copying it inappropriately after mounting the disk on a different host in a DR situation - all 3 of which have happened at some point and I'm sure there's more ways to mess it up too)

If accepted, this is a trivial feature to add - it is essentially a carbon-copy of runas just before the =.

In comparing the code with the sudoers manual, I noticed that like the host list - runas supports a list of users but that has not been implemented either - just noting it, I have no use case for needing that feature (or supporting a list for the host).

Issue Type

Feature Idea

Component Name

sudoers

Additional Information

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/sudoers.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @JonEllis @JonEllis0
click here for bot help