diff --git a/README.md b/README.md index ff442ce..a9227e9 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ Use the sudo resource to add or remove individual sudo entries using sudoers.d f Property | Description | Example Value | Default Value ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | --------------- `filename` | name of the `/etc/sudoers.d` file | restart-tomcat | resource's name -`commands` | array of commands this sudoer can execute | ['/etc/init.d/tomcat restart'] | ['ALL'] +`commands` | array of commands this sudoer can execute, they must contain a full path. Example: use `/usr/bin/tail` over `tail` | ['/etc/init.d/tomcat restart'] | ['ALL'] `groups` | group(s) to provide sudo privileges to. This accepts either an array or a comma separated list. Leading % on group names is optional. This property was named 'group' prior to the 5.1 cookbook release. | %admin,superadmin | [] `nopasswd` | allow running sudo without specifying a password sudo | true | false `noexec` | prevents commands from shelling out | true | false diff --git a/resources/default.rb b/resources/default.rb index aa1989f..791da5c 100644 --- a/resources/default.rb +++ b/resources/default.rb @@ -80,6 +80,24 @@ def platform_config_prefix end end +# Validates if each element in an array starts with `/` or is in +# ALL_CAPS. This is helpful for ensuring that the commands +# passing into the sudoers resource as they need a full path or a +# `Cmnd_Alias`. This should help people more easily catch issues +# where the user requested `tail SOME_ARGS SOME_FILE` where they +# need to use `/usr/bin/tail SOME_ARGS SOME_FILE`. +# return [TrueClass, FalseClass] +def validate_commands_path(commands) + commands.each do |command| + cmd = command.split(' ').first + if command.starts_with('/') || cmd.upcase == cmd + true + else + false + end + end +end + # Default action - install a single sudoer action :create do validate_properties @@ -96,6 +114,10 @@ def platform_config_prefix Chef::Log.warn("#{new_resource.filename} will be rendered, but will not take effect because the #{new_resource.config_prefix}/sudoers config lacks the includedir directive that loads configs from #{new_resource.config_prefix}/sudoers.d/!") if ::File.readlines("#{new_resource.config_prefix}/sudoers").grep(/includedir/).empty? + if new_resource.commands && !validate_commands_path(new_resource.commands) + Chef::Log.fatal('To restrict sudoer commands you must use absolute paths. For example to use `tail` you must specify `/usr/bin/tail` or whatever the appropriate path is for your system. This is becase someone could create a command called `tail` and put it in their path, sudo does not know which one to allow.') + end + if new_resource.template Chef::Log.debug('Template property provided, all other properties ignored.')