Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
223 additions
and
166 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
## sudoers file. | ||
## | ||
## This file MUST be edited with the 'visudo' command as root. | ||
## Failure to use 'visudo' may result in syntax or file permission errors | ||
## that prevent sudo from running. | ||
## | ||
## See the sudoers man page for the details on how to write a sudoers file. | ||
## | ||
|
||
## | ||
## Host alias specification | ||
## | ||
## Groups of machines. These may include host names (optionally with wildcards), | ||
## IP addresses, network numbers or netgroups. | ||
# Host_Alias WEBSERVERS = www1, www2, www3 | ||
|
||
## | ||
## User alias specification | ||
## | ||
## Groups of users. These may consist of user names, uids, Unix groups, | ||
## or netgroups. | ||
# User_Alias ADMINS = millert, dowdy, mikef | ||
|
||
## | ||
## Cmnd alias specification | ||
## | ||
## Groups of commands. Often used to group related commands together. | ||
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ | ||
# /usr/bin/pkill, /usr/bin/top | ||
|
||
## | ||
## Defaults specification | ||
## | ||
## You may wish to keep some of the following environment variables | ||
## when running commands via sudo. | ||
## | ||
## Locale settings | ||
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" | ||
## | ||
## Run X applications through sudo; HOME is used to find the | ||
## .Xauthority file. Note that other programs use HOME to find | ||
## configuration files and this may lead to privilege escalation! | ||
# Defaults env_keep += "HOME" | ||
## | ||
## X11 resource path settings | ||
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" | ||
## | ||
## Desktop path settings | ||
# Defaults env_keep += "QTDIR KDEDIR" | ||
## | ||
## Allow sudo-run commands to inherit the callers' ConsoleKit session | ||
# Defaults env_keep += "XDG_SESSION_COOKIE" | ||
## | ||
## Uncomment to enable special input methods. Care should be taken as | ||
## this may allow users to subvert the command being run via sudo. | ||
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" | ||
## | ||
## Uncomment to enable logging of a command's output, except for | ||
## sudoreplay and reboot. Use sudoreplay to play back logged sessions. | ||
# Defaults log_output | ||
# Defaults!/usr/bin/sudoreplay !log_output | ||
# Defaults!/usr/local/bin/sudoreplay !log_output | ||
# Defaults!/sbin/reboot !log_output | ||
|
||
## | ||
## Runas alias specification | ||
## | ||
|
||
## | ||
## User privilege specification | ||
## | ||
root ALL=(ALL) ALL | ||
|
||
## Uncomment to allow members of group wheel to execute any command | ||
# %wheel ALL=(ALL) ALL | ||
|
||
## Same thing without a password | ||
# %wheel ALL=(ALL) NOPASSWD: ALL | ||
|
||
## Uncomment to allow members of group sudo to execute any command | ||
# %sudo ALL=(ALL) ALL | ||
|
||
## Uncomment to allow any user to run sudo if they know the password | ||
## of the user they are running the command as (root by default). | ||
# Defaults targetpw # Ask for the password of the target user | ||
# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' | ||
|
||
## Read drop-in files from /etc/sudoers.d | ||
## (the '#' here does not indicate a comment) | ||
#includedir /etc/sudoers.d |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
define sudo::conf ( | ||
$ensure = "present", | ||
$content = "", | ||
$source = "") { | ||
|
||
file { "/etc/sudoers.d/${name}": | ||
ensure => $ensure, | ||
owner => root, | ||
group => root, | ||
mode => 440, | ||
content => $content ? { | ||
"" => undef, | ||
default => $content, | ||
}, | ||
source => $source ? { | ||
"" => undef, | ||
default => $source, | ||
}, | ||
notify => Exec["sudo-syntax-check $name"], | ||
require => [ Package["sudo"], File["/etc/sudoers.d"], ], | ||
} | ||
|
||
exec { "sudo-syntax-check $name": | ||
command => "visudo -c -f /etc/sudoers.d/${name} || ( rm -f /etc/sudoers.d/${name} && exit 1)", | ||
refreshonly => true, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
define sudo::entry ( | ||
$ensure = "present", | ||
$comment = "", | ||
$user_alias = "", | ||
$runas_alias = "", | ||
$host_alias = "", | ||
$cmnd_alias = "", | ||
$tag_spec = "", | ||
$option = "", | ||
$user = "$name", | ||
$command = "") { | ||
|
||
# sudo skipping file names that contain a "." | ||
$alias_name = regsubst($name, '\.', '-', 'G') | ||
|
||
if $host_alias == "" { | ||
$host = "ALL" | ||
} else { | ||
$host = "$alias_name" | ||
} | ||
|
||
if $runas_alias == "" { | ||
$runas = "ALL" | ||
} else { | ||
$runas = "$alias_name" | ||
} | ||
|
||
if $cmnd_alias == "" { | ||
$cmd = $command | ||
} else { | ||
$cmd = "$alias_name" | ||
} | ||
sudo::conf { "sudo_entry_${name}": | ||
ensure => $ensure, | ||
content => template("sudo/sudoers.entry.erb"), | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,130 +1,19 @@ | ||
# Class: sudo | ||
# | ||
# Installs sudo and manages config files for sudo. You most likely want to | ||
# include a sudoer_line as well, so that someone can sudo. | ||
# | ||
# Usage | ||
# include sudo | ||
# | ||
class sudo { | ||
include concat::setup | ||
include sudo::params | ||
|
||
package { 'sudo': | ||
name => "${params::package_name}", | ||
ensure => present, | ||
} | ||
|
||
concat { "${sudo::params::sudoers_file}": | ||
owner => root, | ||
group => root, | ||
mode => 440, | ||
require => Package['sudo'], | ||
} | ||
} | ||
|
||
# Define: sudo::sudoer_line | ||
# | ||
# Adds a line to /etc/sudoers via concat. | ||
# | ||
# This is lower level than will be used on individual nodes, and some smarter | ||
# wrappers are provided. Consider using sudo::sudoer and sudo::default. | ||
# | ||
# Parameters | ||
# $line - The line to put in sudoers. | ||
# | ||
# Usage: | ||
# # Give the group wheel sudo access the hard way. | ||
# sudo::sudoer_line{"wheel_sudo": | ||
# $line => "%wheel ALL=(ALL) ALL", | ||
# } | ||
# | ||
define sudo::sudoers_line ($line) { | ||
|
||
concat::fragment { "$name": | ||
target => "${sudo::params::sudoers_file}", | ||
content => "${line}\n", | ||
} | ||
} | ||
|
||
# Define: sudo::sudoer | ||
# | ||
# Grants full sudo access to the named user or group. | ||
# | ||
# Parameters: | ||
# $name - The name variable. This user/group will be granted sudo access. | ||
# If the name starts with a '%', it refers to a group, otherwise a user. | ||
# | ||
# $users - The list of users that $name is allowed to 'impersonate' with | ||
# sudo. Default: "ALL". | ||
# | ||
# $commands - The list of commands that $name is allowed to run with sudo. | ||
# Default "ALL". | ||
# | ||
# $password - If true, a password will be required for sudo. If false, a | ||
# password will not be required. Default: true. | ||
# | ||
# Usage | ||
# # Give the group 'wheel' full access to password protected sudo. | ||
# sudo::sudoer {"%wheel":} | ||
# | ||
# # Give the user 'mike' access to impersonate only 'apache' without a password | ||
# sudo::sudoer {"mike": $users="apache", password => false,} | ||
# | ||
define sudo::sudoer ($users="ALL", $commands="ALL", $password=true) { | ||
$passwd = $password ? { | ||
false => "NOPASSWD:", | ||
default => "PASSWD:", | ||
} | ||
# Hack hack - http://projects.puppetlabs.com/issues/show/2990 | ||
$users_str = inline_template("<%= if users.is_a?(String) then users; else users.join(',') end %>") | ||
$commands_str = inline_template("<%= if commands.is_a?(String) then commands; else commands.join(',') end %>") | ||
|
||
sudoers_line { "${name}_sudoer": | ||
line => "${name} ALL=(${users_str}) ${passwd}${commands_str}", | ||
} | ||
} | ||
|
||
# Define: sudo::default | ||
# | ||
# Defines defaults for sudo | ||
# | ||
# Parameters: | ||
# $name - The name variable. Only used as a part of the file name. | ||
# | ||
# $option - The option to give to defaults. May be a string or an array of | ||
# strings. Required. | ||
# | ||
# $sudoers - The list of sudoers this default applies to. If none given, then | ||
# the default is global. May be a string or an array of strings. Sudoers | ||
# with % before their name refer to groups. | ||
# | ||
# Usage: | ||
# sudo::default { 'env_reset': | ||
# option => 'env_reset', | ||
# } | ||
# | ||
# sudo::default { 'wheel_env': | ||
# option => '!env_reset', | ||
# sudoers => '%wheel', | ||
# } | ||
# | ||
# sudo::default { 'admins': | ||
# option => ['timestamp_timeout=10', '!tty_tickets'], | ||
# sudoers => ['bob', 'fred', 'alice'], | ||
# } | ||
# | ||
define sudo::default ($option, $sudoers="") { | ||
# Hack hack - http://projects.puppetlabs.com/issues/show/2990 | ||
$sudoers_str = $sudoers ? { | ||
"" => "", | ||
default => inline_template( | ||
"<%= if sudoers.is_a?(String) then (':'+sudoers); else (':'+sudoers.join(',')) end %>" | ||
) | ||
class sudo ($ensure = "latest") { | ||
package { "sudo": | ||
ensure => $ensure, | ||
} | ||
$option_str = inline_template("<%= if option.is_a?(String) then option; else option.join(',') end %>") | ||
|
||
sudoers_line { "${name}_default": | ||
line => "Defaults${sudoers_str} ${option_str}", | ||
file { | ||
"/etc/sudoers": | ||
ensure => present, | ||
owner => root, | ||
group => root, | ||
mode => 440, | ||
source => "puppet:///modules/sudo/sudoers"; | ||
"/etc/sudoers.d": | ||
ensure => directory, | ||
owner => root, | ||
group => root, | ||
mode => 750; | ||
} | ||
} |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.