LWRP to manage sudo files via includedir (/etc/sudoers.d)

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Component/s: sudo
  • Labels:
    None

Description

Will require sudo 1.7.1+ (currently available in centos 5.5, ubuntu lucid and debian squeeze+). Drop off templates in /etc/sudoers.d (which should be configured via an attribute).

Issue Links

is duplicated by

Improvement - An improvement or enhancement to an existing feature or task. COOK-1108 Add support for /etc/sudoers.d to the sudo cookbook

  • Minor - Minor loss of function, or other problem where easy workaround is present.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.

Improvement - An improvement or enhancement to an existing feature or task. COOK-892 add support for managing sudoers fragments in /etc/sudoers.d

  • Unknown - Issue untriaged, priority unassigned or questioned
  • Closed - The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Patrick Connolly added a comment -

Marked duplicate http://tickets.opscode.com/browse/COOK-796

Show
Patrick Connolly added a comment - Marked duplicate http://tickets.opscode.com/browse/COOK-796
Hide
Permalink
Mathieu Sauve-Frankel added a comment -

Has anyone actually worked on this ? I have an implementation in my tree that I was planning on pushing to github today for review.

Show
Mathieu Sauve-Frankel added a comment - Has anyone actually worked on this ? I have an implementation in my tree that I was planning on pushing to github today for review.
Hide
Permalink
jtimberman added a comment -

The intention of the COOK-350 ticket is to implement a resource that would look like the following:

sudo "Restart Tomcat" do
  user "%tomcat" # or a username
  runas "app_user" # or "app_user : tomcat"
  commands ["/etc/init.d/tomcat restart"] # array of commands, will be .join(",")
  host "ALL"
  nopasswd false # true prepends the runas_spec with NOPASSWD
end

# results in a sudoers.d file:
# %tomcat ALL=(app_user) /etc/init.d/tomcat restart

The most simple thing is to concatenate the parameters of the sudo resource and use a `file` resource with the `content` parameter.

Additionally, we'd add an attribute that tells the default /etc/sudoers if it should includedir, which would enable the LWRPs dropped-off sudoers.d files. Make sense?

Show
jtimberman added a comment - The intention of the COOK-350 ticket is to implement a resource that would look like the following: sudo "Restart Tomcat" do user "%tomcat" # or a username runas "app_user" # or "app_user : tomcat" commands [ "/etc/init.d/tomcat restart" ] # array of commands, will be .join( "," ) host "ALL" nopasswd false # true prepends the runas_spec with NOPASSWD end # results in a sudoers.d file: # %tomcat ALL=(app_user) /etc/init.d/tomcat restart The most simple thing is to concatenate the parameters of the sudo resource and use a `file` resource with the `content` parameter. Additionally, we'd add an attribute that tells the default /etc/sudoers if it should includedir, which would enable the LWRPs dropped-off sudoers.d files. Make sense?
Hide
Permalink
jtimberman added a comment -

The attribute should be "node['sudo']['includedir']" and will be false by default, since not all currently platforms have a sudo that supports this directive in the configuration.

Show
jtimberman added a comment - The attribute should be "node ['sudo'] ['includedir'] " and will be false by default, since not all currently platforms have a sudo that supports this directive in the configuration.
Hide
Permalink
Mathieu Sauve-Frankel added a comment - - edited

Something like this for the actual file resource ? 

file "/etc/sudoers.d/#{new_resource.name.downcase.gsub('\s', '_')}" do
  owner "root"
  group "root"
  mode  0440
  content "#{user} #{host}=(#{run_as}) #{nopasswd} #{commands}"
end
Show
Mathieu Sauve-Frankel added a comment - - edited Something like this for the actual file resource ? file "/etc/sudoers.d/#{new_resource.name.downcase.gsub('\s', '_')}" do owner "root" group "root" mode 0440 content "#{user} #{host}=(#{run_as}) #{nopasswd} #{commands}" end
Hide
Permalink
Bryan W. Berry added a comment -

https://github.com/opscode/cookbooks/pull/302

Show
Bryan W. Berry added a comment - https://github.com/opscode/cookbooks/pull/302
Hide
Permalink
Patrick Connolly added a comment - - edited

Love it, Bryan. I'll give er a go later


http://www.manpagez.com/man/5/sudoers/sudoers-1.7.0.php
CTRL-F "#include"

The #includedir directive only exists in sudo 1.7.1+. While #include is present, it seems from this blog post that wildcards like in "#include sudoers.d/*" don't work:
http://elizabeth.caltech.edu/2009/06/10/more-sudo-goodness

Hmmm.. seems backports are required...

Might it be worth adding an apt dep to the sudo cookbook and pulling in a backport, for consistency across systems?

Or maybe the sudo cookbook could just "fake it" by scanning the sudoers.d dir with a ruby_block resource and adding explicit #include lines for each file to /etc/sudoers? If I understand correctly, that would require a "notifies" resource attribute on each sudo resource, which makes this sound overly hacky...

Show
Patrick Connolly added a comment - - edited Love it, Bryan. I'll give er a go later — http://www.manpagez.com/man/5/sudoers/sudoers-1.7.0.php CTRL-F "#include" The #includedir directive only exists in sudo 1.7.1+. While #include is present, it seems from this blog post that wildcards like in "#include sudoers.d/*" don't work: http://elizabeth.caltech.edu/2009/06/10/more-sudo-goodness Hmmm.. seems backports are required... Might it be worth adding an apt dep to the sudo cookbook and pulling in a backport, for consistency across systems? Or maybe the sudo cookbook could just "fake it" by scanning the sudoers.d dir with a ruby_block resource and adding explicit #include lines for each file to /etc/sudoers? If I understand correctly, that would require a "notifies" resource attribute on each sudo resource, which makes this sound overly hacky...
Hide
Permalink
Bryan W. Berry added a comment -

Patcon, that could work, however I probably won't have time to refactor the sudo lwrp for a couple weeks as I am currently embroiled in postgresql and chef-server ckbks

Show
Bryan W. Berry added a comment - Patcon, that could work, however I probably won't have time to refactor the sudo lwrp for a couple weeks as I am currently embroiled in postgresql and chef-server ckbks
Hide
Permalink
jtimberman added a comment -

Does this need further consideration for older versions of sudo then? Reopening based on the discussion above.

Show
jtimberman added a comment - Does this need further consideration for older versions of sudo then? Reopening based on the discussion above.
Hide
Permalink
Fletcher Nichol added a comment - - edited

Any reason that the #includedir line is included mid-file rather than at the end? If a user is added in /etc/sudoers.d/jdoe with password-less sudo and they also belong to a group requiring a password, then the group line "wins" and trumps the /etc/sudoers.d/jdoe version.

(https://github.com/bryanwb/cookbooks/commit/4d157277e485b6e9f0da8f588c41013addf43e11#L7R12)

Show
Fletcher Nichol added a comment - - edited Any reason that the #includedir line is included mid-file rather than at the end? If a user is added in /etc/sudoers.d/jdoe with password-less sudo and they also belong to a group requiring a password, then the group line "wins" and trumps the /etc/sudoers.d/jdoe version. ( https://github.com/bryanwb/cookbooks/commit/4d157277e485b6e9f0da8f588c41013addf43e11#L7R12 )
Hide
Permalink
Bryan W. Berry added a comment - - edited

lol, because the sudoers rpm/debian packages always put it there

Your are correct, it should be at the bottom

good catch fletcher!

Show
Bryan W. Berry added a comment - - edited lol, because the sudoers rpm/debian packages always put it there Your are correct, it should be at the bottom good catch fletcher!
Hide
Permalink
Bryan McLellan [Opscode] added a comment -

COOK-1108 is duplicating this. Any status update here? Can we get a new pull request?

Show
Bryan McLellan [Opscode] added a comment - COOK-1108 is duplicating this. Any status update here? Can we get a new pull request?
Hide
Permalink
jtimberman added a comment -

I went ahead and merged the pull request and Fletcher's additional commit into the new opscode-cookbooks/sudo repository.

https://github.com/opscode-cookbooks/sudo/commit/a59b60d7258a885bb41f2af416def2a1fcdb7df4

Marking resolved/merged. This will be in the next release of the cookbook. Thanks all!

Show
jtimberman added a comment - I went ahead and merged the pull request and Fletcher's additional commit into the new opscode-cookbooks/sudo repository. https://github.com/opscode-cookbooks/sudo/commit/a59b60d7258a885bb41f2af416def2a1fcdb7df4 Marking resolved/merged. This will be in the next release of the cookbook. Thanks all!
Hide
Permalink
jtimberman added a comment -

This is released in v1.1.0. Thanks!

Show
jtimberman added a comment - This is released in v1.1.0. Thanks!

People

  • Assignee:
    Bryan W. Berry
    Reporter:
    jtimberman
Vote (0)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved: