Ruby HTML
Latest commit 0f303a0 Mar 21, 2017 @tas50 tas50 Update apache2 license string
Signed-off-by: Tim Smith <tsmith@chef.io>
Permalink
Failed to load latest commit information.
.delivery Test with Local Delivery instead of Rake Mar 1, 2017
.github Update Github PR template Oct 23, 2016
attributes Update copyright headers Nov 25, 2016
files Move the file out of default Mar 1, 2017
libraries Add basic Chefspec matchers Mar 5, 2014
providers Cookstyle fixes Mar 1, 2017
recipes Move the file out of default Mar 1, 2017
resources Update copyright headers Nov 25, 2016
spec make base sudoers file use attributes for env_keep_add and env_keep_s… Oct 26, 2016
tasks Update copyright headers Nov 25, 2016
templates add lwrp support for only env_keep add/subtract Jan 27, 2017
test add lwrp support for only env_keep add/subtract Jan 27, 2017
.gitignore Testing updates Mar 1, 2017
.kitchen.dokken.yml Test with Local Delivery instead of Rake Mar 1, 2017
.kitchen.yml Test with Local Delivery instead of Rake Mar 1, 2017
.rubocop.yml Cookstyle fixes Mar 1, 2017
.travis.yml Update apache2 license string Mar 21, 2017
Berksfile Update platforms to test with test kitchen Jan 26, 2017
CHANGELOG.md Release 3.3.1 Jan 17, 2017
CONTRIBUTING.md Use the new contributing doc Sep 8, 2015
Gemfile Update apache2 license string Mar 21, 2017
LICENSE Update license file Feb 5, 2016
MAINTAINERS.md Spacing Dec 28, 2016
MAINTAINERS.toml Update maintainers wording and format [skip-ci] Sep 8, 2016
README.md Remove the development section Mar 1, 2017
TESTING.md Use the new testing doc Sep 8, 2015
chefignore Update ignore files Feb 5, 2016
metadata.rb Update apache2 license string Mar 21, 2017

README.md

sudo cookbook

Build Status Cookbook Version

The default recipe installs the sudo package and configures the /etc/sudoers file. The cookbook also includes a sudo resource to adding and removing individual sudo entries.

Requirements

Platforms

  • Debian/Ubuntu
  • RHEL/CentOS/Scientific/Amazon/Oracle
  • FreeBSD
  • Mac OS X
  • openSUSE / Suse

Chef

  • Chef 12.1+

Cookbooks

  • None

Attributes

  • node['authorization']['sudo']['groups'] - groups to enable sudo access (default: [ "sysadmin" ])
  • node['authorization']['sudo']['users'] - users to enable sudo access (default: [])
  • node['authorization']['sudo']['passwordless'] - use passwordless sudo (default: false)
  • node['authorization']['sudo']['include_sudoers_d'] - include and manage /etc/sudoers.d (default: false)
  • node['authorization']['sudo']['agent_forwarding'] - preserve SSH_AUTH_SOCK when sudoing (default: false)
  • node['authorization']['sudo']['sudoers_defaults'] - Array of Defaults entries to configure in /etc/sudoers
  • node['authorization']['sudo']['setenv'] - Whether to permit preserving of environment with sudo -E (default: false)

Usage

Attributes

To use attributes for defining sudoers, set the attributes above on the node (or role) itself:

{
  "default_attributes": {
    "authorization": {
      "sudo": {
        "groups": ["admin", "wheel", "sysadmin"],
        "users": ["jerry", "greg"],
        "passwordless": "true"
      }
    }
  }
}
{
  "default_attributes": {
    "authorization": {
      "sudo": {
        "command_aliases": [{
          "name": "TEST",
          "command_list": [
            "/usr/bin/ls",
            "/usr/bin/cat"
          ]
        }],
        "custom_commands": {
          "users": [
            {
              "user": "test_user",
              "passwordless": true,
              "command_list": [
                "TEST"
              ]
            }
          ],
          "groups": [
            {
              "group": "test_group",
              "passwordless": false,
              "command_list": [
                "TEST"
              ]
            }
          ]
        }
      }
    }
  }
}
# roles/example.rb
default_attributes(
  "authorization" => {
    "sudo" => {
      "groups" => ["admin", "wheel", "sysadmin"],
      "users" => ["jerry", "greg"],
      "passwordless" => true
    }
  }
)

Note that the template for the sudoers file has the group "sysadmin" with ALL:ALL permission, though the group by default does not exist.

Sudoers Defaults

Configure a node attribute, node['authorization']['sudo']['sudoers_defaults'] as an array of Defaults entries to configure in /etc/sudoers. A list of examples for common platforms is listed below:

Debian

node.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']

Ubuntu 12.04

node.default['authorization']['sudo']['sudoers_defaults'] = [
  'env_reset',
  'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
]

FreeBSD

node.default['authorization']['sudo']['sudoers_defaults'] = [
  'env_reset',
  'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
]

RHEL family 5.x The version of sudo in RHEL 5 may not support +=, as used in env_keep, so its a single string.

node.default['authorization']['sudo']['sudoers_defaults'] = [
  '!visiblepw',
  'env_reset',
  'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
               LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
               LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
               LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
               LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
               _XKB_CHARSET XAUTHORITY"'
]

RHEL family 6.x

node.default['authorization']['sudo']['sudoers_defaults'] = [
  '!visiblepw',
  'env_reset',
  'env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"',
  'env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"',
  'env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"',
  'env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"',
  'env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"',
  'env_keep += "HOME"',
  'always_set_home',
  'secure_path = /sbin:/bin:/usr/sbin:/usr/bin'
]

Mac OS X

node.default['authorization']['sudo']['sudoers_defaults'] = [
  'env_reset',
  'env_keep += "BLOCKSIZE"',
  'env_keep += "COLORFGBG COLORTERM"',
  'env_keep += "__CF_USER_TEXT_ENCODING"',
  'env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"',
  'env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"',
  'env_keep += "LINES COLUMNS"',
  'env_keep += "LSCOLORS"',
  'env_keep += "TZ"',
  'env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"',
  'env_keep += "EDITOR VISUAL"',
  'env_keep += "HOME MAIL"'
]

Sudo Resource

Note Sudo version 1.7.2 or newer is required to use the sudo LWRP as it relies on the "#includedir" directive introduced in version 1.7.2. The recipe does not enforce installing the version. To use this LWRP, set node['authorization']['sudo']['include_sudoers_d'] to true.

There are two ways for rendering a sudoer-fragment using this LWRP:

  1. Using the built-in template
  2. Using a custom, cookbook-level template

Both methods will create the /etc/sudoers.d/#{resourcename} file with the correct permissions.

The LWRP also performs fragment validation. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).

Example using the built-in template:

sudo 'tomcat' do
  user      "%tomcat"    # or a username
  runas     'app_user'   # or 'app_user:tomcat'
  commands  ['/etc/init.d/tomcat restart']
end
sudo 'tomcat' do
  template    'my_tomcat.erb' # local cookbook template
  variables   :cmds => ['/etc/init.d/tomcat restart']
end

In either case, the following file would be generated in /etc/sudoers.d/tomcat

# This file is managed by Chef for node.example.com
# Do NOT modify this file directly.

%tomcat ALL=(app_user) /etc/init.d/tomcat restart

Resource Properties

Attribute Description Example Default
name name of the `/etc/sudoers.d` file restart-tomcat current resource name
commands array of commands this sudoer can execute ['/etc/init.d/tomcat restart'] ['ALL']
group group to provide sudo privileges to, except `%` is prepended to the name in case it is not already %admin
nopasswd supply a password to invoke sudo true false
noexec prevents commands from shelling out true false
runas User the command(s) can be run as root ALL
template the erb template to render instead of the default restart-tomcat.erb
user user to provide sudo privileges to tomcat
defaults array of defaults this user has ['!requiretty','env_reset']
setenv whether to permit the preserving of environment with `sudo -E` true
env_keep_add array of strings to add to env_keep ['HOME', 'MY_ENV_VAR MY_OTHER_ENV_VAR']
env_keep_subtract array of strings to remove from env_keep ['DISPLAY', 'MY_SECURE_ENV_VAR']
variables the variables to pass to the custom template :commands => ['/etc/init.d/tomcat restart']

If you use the template attribute, all other attributes will be ignored except for the variables attribute.

License & Authors

Author: Bryan W. Berry bryan.berry@gmail.com

Author: Cookbook Engineering Team (cookbooks@chef.io)

Copyright: 2008-2016, Chef Software, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.