An Ansible role for configuring the /etc/sudoers
file and /etc/sudoers.d
files.
This role makes it possible to completely define your sudoers configuration with Ansible. All of the following are configurable:
- defaults
- aliases
- Users
- Runas
- Hosts
- Commands
- specifications
Tip: Here's a great document about sudoers configuration
By default this role configures and manages all sudo specs. These are various configurations.
Variable Name | Description | Default Value | Variable Type |
---|---|---|---|
sudoer_rewrite_sudoers_file | Use role default or user defined default_specs replacing distro supplied /etc/sudoers file. |
True | boolean |
sudoer_remove_unauthorized_specs | Each existing sudoer spec on the filesystem not generated by this role's values will be removed. Very Dangerous. | False | boolean |
sudoer_separate_specs | Each sudoer spec will be placed in a separate file within the /etc/sudoers.d/ directory. |
True | boolean |
sudoer_separate_specs_cleanup | Remove any remaining files in /etc/sudoers.d if sudoer_separate_specs is set to False . If this value is set to False , the existing files from a previous configuration will be untouched. Set to True if you want this role's configuration to be your source of truth and remove old files. |
False | boolean |
sudoer_backup | Whether or not to create a backup of a changed /etc/sudoers file (does not pertain to files to be removed or individual spec files). Backup of individual spec files could create problematic configurations, as they will exist as a separate spec. in the /etc/sudoers.d directory. | True | boolean |
sudoer_aliases: {}
sudoer_specs: []
sudoer_defaults:
# - requiretty (disabled, just uncomment if required)
- "!visiblepw"
- always_set_home
- env_reset
- env_keep:
- COLORS
- DISPLAY
- HOSTNAME
- HISTSIZE
- INPUTRC
- KDEDIR
- LS_COLORS
- MAIL
- PS1
- PS2
- QTDIR
- USERNAME
- LANG
- LC_ADDRESS
- LC_CTYPE
- LC_COLLATE
- LC_IDENTIFICATION
- LC_MEASUREMENT
- LC_MESSAGES
- LC_MONETARY
- LC_NAME
- LC_NUMERIC
- LC_PAPER
- LC_TELEPHONE
- LC_TIME
- LC_ALL
- LANGUAGE
- LINGUAS
- _XKB_CHARSET
- XAUTHORITY
- secure_path: /sbin:/bin:/usr/sbin:/usr/bin
sudoer_separate_specs: True
sudoer_rewrite_sudoers_file: True
sudoer_remove_unauthorized_specs: False
sudoer_separate_specs_cleanup: False
sudoer_backup: True
# host alias
name: string
hosts: string|[hostnames]
comment: string #procedes the alias with a comment
# user alias
name: string
users: string|[username|%group]
comment: string #procedes the alias with a comment
# runas alias
name: string
users: string|[username|%group|#uid]
comment: string #procedes the alias with a comment
# cmnd alias
name: string
commands: string|[string]
comment: string #procedes the alias with a comment
# sudoer specification
name: string
users: string|[string]
hosts: string|[string]
operators: string|[string]
tags: string|[string]
comment: string #procedes the alias with a comment
defaults: string|[string]
## Other Variables
- sudoer_aliases: a dictionary that specifies which aliases to configure
- sudoer_aliases.host: a list of host alias descriptions
- sudoer_aliases.user: a list of user or group alias descriptions
- sudoer_aliases.runas: a list of runas alias descriptions
- sudoer_aliases.command: a list of command alias descriptions
- sudoer_specs: a list of sudoer specifications
- sudoer_defaults: a list of default settings
- can be any of the following types
- string
- string: string
- string: [string]
The top level /etc/sudoers
file can be kept as light as possible by specifying sudoer_separate_specs: True
in either the role's defaults/main.yml
or your playbook's variables. Please be aware that sudoer_separate_specs
is set to True
by default, and therefore your changes will be expected in /etc/sudoers.d
unless set to False
.
If sudoer_separate_specs is set to False
, it will include all defaults and aliases in /etc/sudoers rather than breaking the specs out into their own files in /etc/sudoers.d/.
All sudoer specifications will each be placed in their own file within the /etc/sudoers.d/
directory. A specification consists of the following:
name
: the name of the specification (file name in/etc/sudoers.d/
)users
: user list or user aliashosts
: host list or host aliasoperators
: operator list or runas aliascommands
: command list or
The following properties are optional:
tags
: list of tags (ex: NOPASSWD)comment
: A comment you'd like to add to your spec for clarity
Valid sudoer tags are: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT.
User/Group specific defaults can be added to the defaults list by a preceding ':' followed by the user/group whitespace then the option. For example:
---
sudoer_defaults:
- :MONITOR_USER !logfile
This will generate a line:
Defaults:MONITOR_USER !logfile
- hosts: "all"
roles:
- role: "wtcross.sudoers"
sudoer_aliases:
user:
- name: "ADMINS"
comment: "Group of admin users"
users:
- "%admin"
runas:
- name: "ROOT"
comment: "Root stuff"
users:
- "#0"
host:
- name: "SERVERS"
comment: "XYZ servers"
hosts:
- "192.168.0.1"
- "192.168.0.2"
command:
- name: "ADMIN_CMNDS"
comment: "Stuff admins need"
commands:
- "/usr/sbin/passwd"
- "/usr/sbin/useradd"
- "/usr/sbin/userdel"
- "/usr/sbin/usermod"
- "/usr/sbin/visudo"
sudoer_specs:
- name: "administrators"
comment: "Stuff for admins"
users: "ADMIN"
hosts: "SERVERS"
operators: "ROOT"
tags: "NOPASSWD"
commands: "ADMIN_CMNDS"
defaults:
- '!requiretty'
The host operating system must be a member of one of the following OS families:
- Debian
- RedHat
- SUSE