Coder Social home page Coder Social logo

oefenweb / ansible-sudoers Goto Github PK

View Code? Open in Web Editor NEW
8.0 3.0 11.0 108 KB

Ansible role to manage sudoers and sudoers.d in Debian-like systems

License: MIT License

Dockerfile 24.65% Jinja 75.35%
ansible sudoers privileges ubuntu debian manage-sudoers

ansible-sudoers's Introduction

sudoers

CI Ansible Galaxy

Manage sudoers and sudoers.d in Debian-like systems.

Requirements

None

Variables

  • sudoers_sudoers: /etc/sudoers file declarations

  • sudoers_sudoers.defaults: [default: see defaults/main.yml]: Default configuration options

  • sudoers_sudoers.host_aliases: [default: []]: A list of aliases of type Host_Alias

  • sudoers_sudoers.host_aliases.name: Name of the alias

  • sudoers_sudoers.host_aliases.members: Member(s) of the alias

  • sudoers_sudoers.user_aliases: [default: []]: A list of aliases of type User_Alias

  • sudoers_sudoers.user_aliases.name: Name of the alias

  • sudoers_sudoers.user_aliases.members: Member(s) of the alias

  • sudoers_sudoers.cmnd_aliases: [default: []]: A list of aliases of type Cmnd_Alias

  • sudoers_sudoers.cmnd_aliases.name: Name of the alias

  • sudoers_sudoers.cmnd_aliases.members: Member(s) of the alias

  • sudoers_sudoers.runas_aliases: [default: []]: A list of aliases of type Runas_Alias

  • sudoers_sudoers.runas_aliases.name: Name of the alias

  • sudoers_sudoers.runas_aliases.members: Member(s) of the alias

  • sudoers_sudoers.privileges: [default: see defaults/main.yml]: List of privileges

  • sudoers_sudoers.privileges.name: Name of user or group (group should be prefixed with '%')

  • sudoers_sudoers.privileges.entry: A privilege entry

  • sudoers_sudoers_d_files [default: {}]: /etc/sudoers.d/* file(s) declarations

  • sudoers_sudoers_d_files.key: The name of the sudoers configuration file (e.g vagrant)

  • sudoers_sudoers_d_files.key.defaults [default: []]: Default configuration options

  • sudoers_sudoers_d_files.key.host_aliases [default: []]: A list of aliases of type Host_Alias

  • sudoers_sudoers_d_files.key.host_aliases.name: Name of the alias

  • sudoers_sudoers_d_files.key.host_aliases.members: Member(s) of the alias

  • sudoers_sudoers_d_files.key.user_aliases [default: []]: A list of aliases of type User_Alias

  • sudoers_sudoers_d_files.key.user_aliases.name: Name of the alias

  • sudoers_sudoers_d_files.key.user_aliases.members: Member(s) of the alias

  • sudoers_sudoers_d_files.key.cmnd_aliases [default: []]: A list of aliases of type Cmnd_Alias

  • sudoers_sudoers_d_files.key.cmnd_aliases.name: Name of the alias

  • sudoers_sudoers_d_files.key.cmnd_aliases.members: Member(s) of the alias

  • sudoers_sudoers_d_files.key.runas_aliases [default: []]: A list of aliases of type Runas_Alias

  • sudoers_sudoers_d_files.key.runas_aliases.name: Name of the alias

  • sudoers_sudoers_d_files.key.runas_aliases.members: Member(s) of the alias

  • sudoers_sudoers_d_files.key.privileges [default: []]: List of privileges

  • sudoers_sudoers_d_files.key.privileges.name: Name of user or group (group should be prefixed with '%')

  • sudoers_sudoers_d_files.key.privileges.entry: A privilege entry

  • sudoers_sudoers_d_directory_mode [default: keep as is]: Directory mode for /etc/sudoers.d, e.g. '0750'

Dependencies

None

Example(s)

Simple configuration
---
- hosts: all
  roles:
    - oefenweb.sudoers
Complex configuration
---
- hosts: all
  roles:
    - oefenweb.sudoers
  vars:
    sudoers_sudoers:
      defaults:
        - env_reset
        - exempt_group=sudo
        - mail_badpass
        - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      host_aliases:
        - name: CUNETS
          members: 128.138.0.0/255.255.0.0
        - name: SERVERS
          members: master, mail, www, ns
      user_aliases:
        - name: FULLTIMERS
          members: millert, mikef, dowdy
        - name: PARTTIMERS
          members: bostley, jwfox, crawl
      cmnd_aliases:
        - name: KILL
          members: /usr/bin/kill
        - name: HALT
          members: /usr/sbin/halt
      privileges:
        - name: root
          entry: "ALL=(ALL:ALL) ALL"
        - name: "%admin"
          entry: "ALL=(ALL) ALL"
        - name: "%sudo"
          entry: "ALL=NOPASSWD:ALL"
    sudoers_sudoers_d_files:
      test:
        defaults:
          - env_reset
          - exempt_group=sudo
          - mail_badpass
          - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        host_aliases:
          - name: WORKSTATIONS
            members: 128.138.0.0/255.255.0.0
        privileges:
          - name: test
            entry: "ALL=(ALL:ALL) ALL"

License

MIT

Author Information

  • Mark van Driel
  • Mischa ter Smitten

Feedback, bug-reports, requests, ...

Are welcome!

ansible-sudoers's People

Contributors

mvdriel avatar sprat avatar tersmitten avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

mvdriel trumant vadyochik icasimpan-experimental carta gcoop-libre acloserview fritz0011

ansible-sudoers's Issues

Limit permissions of /etc/sudoers.d

For security purpose, the permissions of /etc/sudoers.d should probably be set to 0750. It would be a nice addition to the role. If you agree with that, I can probably make a pull request.

Revise /etc/sudoers

Ubuntu 12.04

Defaults	env_reset
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

Ubuntu 14.04

Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

Ubuntu 16.04

Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

Debian 7

Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

Debian 8

Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

support limited defaults section

From man sudoers on Ubuntu Xenial:

 Defaults
     Certain configuration options may be changed from their default values at run-time via one or more Default_Entry lines.  These may affect all users on any host, all users on a specific host, a
     specific user, a specific command, or commands being run as a specific user.  Note that per-command entries may not include command line arguments.  If you need to specify arguments, define a
     Cmnd_Alias and reference that instead.

     Default_Type ::= 'Defaults' |
                      'Defaults' '@' Host_List |
                      'Defaults' ':' User_List |
                      'Defaults' '!' Cmnd_List |
                      'Defaults' '>' Runas_List

     Default_Entry ::= Default_Type Parameter_List

     Parameter_List ::= Parameter |
                        Parameter ',' Parameter_List

     Parameter ::= Parameter '=' Value |
                   Parameter '+=' Value |
                   Parameter '-=' Value |
                   '!'* Parameter

...
...

     Defaults entries are parsed in the following order: generic, host, user and runas Defaults first, then command defaults.  If there are multiple Defaults settings of the same type, the last
     matching setting is used.  The following Defaults settings are parsed before all others since they may affect subsequent entries: fqdn, group_plugin, runas_default, sudoers_locale.

     See SUDOERS OPTIONS for a list of supported Defaults parameters.

It would be great if this role supported Host/User/Cmnd/Runas defaults as well. The current templates:

make it not possible. Note that an extra space between Defaults and the special characters are not accepted by sudo (e.g. Defaults : !MY_COMMAND !requiretty is rejected by sudo as syntax error.

Can't replace sudoers files

Hi

Thanks for a well-crafted ansible role.

I'm having a problem when using it on Debian Jessie though. I get this error:
[Errno 2] No such file or directory
when this task is being run:
TASK [tersmitten.sudoers : update global configuration file] *******************

The problem seems to be that the ansible template module is not allowed to modify the sudoers file.
I have a similar problem with a file in the sudoers.d dir, which could be worked around by removing the file (file state: absent) just before the template task.

However, this will not work with the global file, since removing that would render any sudo command (including those from ansible) useless.

Do you have an idea on how to solve this ?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.