The option Defaults requiretty is enabled in both files/sudoers.rhel5 and files/sudoers.rhel6 as default. But when apply this puppet module in Vagrant CentOS 6.5 instance, always get the error:

sudo: sorry, you must have a tty to run sudo

the fix is here: comment it.

This is the explanation:

http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password
https://bugzilla.redhat.com/show_bug.cgi?id=1020147

Any suggestion that I can still librarian-puppet this module, but get that line commented?

Or could you please comment this line in your code directly?

Please consider adding a parameter that makes it easy to define timestamp_timeout. I'm not sure whether this fits better into the main init.pp, or whether it should go into some kind of subclass.

Before #99, visudo checked entire sudo config. In that PR it started checking just a single config file being added/modified.

Unfortunately, this may give a false sense of syntax correctness. For example, if your sudo::conf { 'foo': } redefines Cmnd_Alias that already is defined somewhere else, current file will pass visudo syntax checks but sudo config as a whole will be broken.

Maybe consider changing visudo exec to be what it used to be before PR 99 and add validate_cmd on File resource inside sudo::conf? I am not yet convinced it's the best way forward though.

As defined here, sudo > 1.7.0 introduced some new config values, which aren't supported < 1.7.0.

This results in the sudo config being broken on a stock Centos 5 install, which uses sudo-1.6.8p12-12.el5.

Initial thought is to have a different config file for RHEL5 vs RHEL6, as RHEL6 ships with sudo-1.7.4p5-13.el6_3.x86_64 so supports the new values...

Please add a LICENCE file into the repo.

Need to upload new version to the Forge

https://github.com/saz/puppet-sudo/blob/master/metadata.json#L8 should probably also point to github?

Kind Regards,
Alex

In puppet 2.7 the forced basing of the namespacing for ::sudo::conf on line 20 of config.pp causes the tag errors below. It works fine without rooting that call though. I assume it's not necessary in newer versions either. I've added #117 with a simple fix. Is it possible to make the change in this PR or is there another possible workaround?

Puppet 2.7 Failure:
Invalid tag "::sudo::conf" at /etc/puppet/modules/sudo/manifests/configs.pp:20 on node jho.dev.localdomain.com

You're missing a trailing slash in params.pp for FreeBSD in the $config_dir variable.

I want to use the Hiera automatic parameter lookup feature in Puppet 3 so that I can define my sudo users in a Hiera database.

Please consider adding one new parameter to the sudo class that accepts an array of users. It would use a template to create a new file with entries for all of these users, and define a corresponding sudo::conf resource that includes the template.

Right now I have to define a wrapper class to do this, but it seems like it would fit into the module more naturally.

The RDoc for Class: sudo indicates that config_file_replace defaults to true, but in the class definition it shows that config_file_replace actually defaults to false.

Either way is fine, but the docs should match the code. :-)

The priority part of the filename should be zero-padded, otherwise a config with priority => 5 will lexically come after one with priority => 10.

sudo::conf { 'high-prio':
  priority => 5,
  content => '# This is high prio',
}

sudo ::conf { 'normal-prio':
  content => '# This is normal prio',
}

Will result in: 10_normal-prio, 5_high-prio, while it should be 05_high-prio, 10_normal-prio.

This is also mentioned in the man pages:

Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second. Using a consistent number of leading zeroes in the file names can be used to avoid such problems.

During class definition one can change the config_dir variable, like so:

class { '::sudo':
    config_dir => '/etc/sudoers.puppet',
}

But this change is neglected by actual sudo config, because they use the OS default sudo::params::config_dir instead of the class sudo::config_dir (which defaults to sudo::params::config_dir but can be overridden), see:
https://github.com/saz/puppet-sudo/blob/master/manifests/conf.pp#L55

  $sudo_config_dir_real = $sudo_config_dir ? {
    undef            => $sudo::params::config_dir,
    $sudo_config_dir => $sudo_config_dir
  }

This needs to be changed to

  $sudo_config_dir_real = $sudo_config_dir ? {
    undef            => $sudo::config_dir,
    $sudo_config_dir => $sudo_config_dir
  }

If needed, I will provide pull request with a fix shortly

I recently enabled the future parser to check our manifests for Puppet 4.0 compliance. The conditional ''if $configs'' in configs.pp caused a parse problem. It is easily solved by changing it to ''if !empty($configs)''. (We do not use Hiera.)

I think you have a problematic coma in your metadata.json, that results in:

# librarian-puppet install
Unable to parse json file /etc/puppet/.tmp/librarian/cache/source/git/61c10f4144b6f540/metadata.json: 399: unexpected token at '],
  "dependencies": [
    { "name": "puppetlabs/stdlib", "version_requirement": ">=2.3.0 <5.0.0" },
  ]
}

Thanks for a good module anyway ;) for now I locked it to a specific release in my Puppetfile and it works.

Hope this helps.

Puppet v2.7.25 (server)
Puppet 3.8 (client)
saz-sudo-3.1.0.tar.gz
Hiera - not installed

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Unknown function hiera_hash at /etc/puppet/modules/sudo/manifests/configs.pp:20 on node

As a quick workaround I've commented out the $configs = hiera_hash('sudo::configs', $configs_hash) line as the next line down is checking if $configs is empty.

Is it possible to check if the hiera_hash function exists before calling it?

Thanks,

It seems that when calling your module from both common.yaml and somethingElse.yaml, the data does not merge. It only takes the highest level. This is unusual and I haven't experienced this with any other modules. Hiera, as you may know, uses an array merge lookup on it's data.

I tried troubleshooting this but failing so far.

I will paste the relevant code below. In this example, ONLY devusers group is applied (as opposed to both sysadmins and devusers)

hiera.yaml

---
:backends:
  - yaml
:yaml:
  :datadir: /etc/puppet/environments/%{::environment}/hieradata
:hierarchy:
  - node/%{::clientcert}
  - myCompany_environment/%{::myCompany_environment}
  - common

site.pp

$sudoers = hiera('sudoers', {})
create_resources('sudo::conf', $sudoers)

common.yaml:

sudoers:
  sysadmins:
    content: '%sysadmins ALL=(ALL) NOPASSWD: ALL'

devusers.yaml:

sudoers:
  devusers:
    content: '%devusers ALL=(ALL) NOPASSWD: ALL'

THE WORKAROUND:

Double-declare sysadmins-group in both yaml files. This is good enough for now but it kind of defeats one of the purposes of Hiera.
common.yaml:

sudoers:
  sysadmins:
    content: '%sysadmins ALL=(ALL) NOPASSWD: ALL'

devusers.yaml:

sudoers:
  devusers:
    content: '%devusers ALL=(ALL) NOPASSWD: ALL'
  sysadmins:
    content: '%sysadmins ALL=(ALL) NOPASSWD: ALL'

This line (manifests/param.pp:13):

if (0 + $::operatingsystemmajrelease >= 7) {

breaks on Debian hosts that are set to use unstable/sid, because operatingsystemmajrelease will not be a number (but rather stretch/sid until the next release).

If name contains a white space it fails.

Suggestion for a fix

• Make a validation of namevar to ensure it does not contain whitespace and raise an error.
• Replace whitespaces in filename with '_'

Hi,

pls delete the follow lines from suse template (files / sudoers.suse):

## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
Defaults targetpw # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

this is verry importend ;-)

thx

@saz I've had some issues with the ArchLinux template not including a new line at the end of the file. I'm sure this issue #12 is related to git; but it does also seem to affect the includedir statement at the end of the file. Would you consider updating the template to include a new line at the end, thanks.

"name": "saz-sudo",
"version": "3.0.9",

Puppet augeas lens fails to parse the following line in sudo file:

Cmnd_Alias BALANCE = /sbin/lvm lvdisplay -m, /sbin/scsi_id -p 0x83 -s /block/sd* -g, /lib/udev/scsi_id --page=0x83 --whitelisted --device=/dev/sd_, /sbin/dmsetup deps, /sbin/fdisk -lu, /sbin/mdadm -D /dev/sd_, /usr/local/bin/scli -z all

Warning: Augeasincludedirsudoers: Loading failed for one or more files, see debug for /augeas//error output
Debug: Augeasincludedirsudoers: /augeas/files/etc/sudoers/error = parse_failed
Debug: Augeasincludedirsudoers: /augeas/files/etc/sudoers/error/pos = 3549
Debug: Augeasincludedirsudoers: /augeas/files/etc/sudoers/error/line = 105
Debug: Augeasincludedirsudoers: /augeas/files/etc/sudoers/error/char = 0
Debug: Augeasincludedirsudoers: /augeas/files/etc/sudoers/error/lens = /var/opt/lib/pe-puppet/lib/augeas/lenses/fixedsudoers.aug:509.10-.70:
Debug: Augeasincludedirsudoers: /augeas/files/etc/sudoers/error/message = Iterated lens matched less than it should
Debug: Augeasincludedirsudoers: Will attempt to save and only run if files changed
Debug: Augeasincludedirsudoers: sending command 'set' with params ["/files/etc/sudoers/#includedir", "/etc/sudoers.d"]
Debug: Augeasincludedirsudoers: Closed the augeas connection

augeas tool parse it successfully with the standard lense /usr/share/augeas/lenses/dist/sudoers.aug shipped with augtool 1.2.0.

Hi

The file fixedsudoers.aug breaks Puppet Augeas on Debian. At each run it prevents Augeas from working and generates a mysterious error message:

Debug: Augeas[PHP MySQL socket](provider=augeas): Opening augeas with root /, lens path /var/lib/puppet/lib/augeas/lenses, flags 32
Error: /Stage[main]/Main/Augeas[PHP MySQL socket]: Could not evaluate: unknown error - Failed to initialize Augeas

Can you install it selectively on Red Hat systems only?

Ubuntu - 16.04
Puppet - 4.5.3
Running via test kitchen - 1.9.1
box: "ubuntu/xenial64"
box_version: "20160606.1.0"

doing: include ::sudo or class { 'sudo': } or class { 'sudo': config_file_replace => true } does not purge /etc/sudoers as noted in the documentation.

There's also no mention (obvious maybe) in the puppet run output for /etc/sudoers

sudo::conf breaks on RHEL5 with old versions of sudo that do not support #includedir.

I am using sudo::conf to install a file in /etc/sudoers.d/ that gives users in the 'wheel' group the ability to sudo. When running on a system with an old version of sudo, the /etc/sudoers is overwritten with the sudoers file from this package, (which ends with "#includedir /etc/sudoers.d"), but this doesn't work, so the file I placed in /etc/sudoers.d/ never gets read, and users in the wheel group can't login.

I effectively locked myself out of the system.

It would be nice if this sudo module (or maybe just the sudo class) depended on version 1.7.0 of the sudo package, so that trying to run this with an older version of sudo will just fail. That way the above problem could be avoided.

Despite set config_dir when the class is loaded, the file and config is not tested and created on the right place :
Same effect on solaris 10 and ubuntu 14.04 and I use hiera to set sudo::configs

#Init class with some defaults config for solaris
case $::osfamily {
'Solaris': {
class { '::sudo':
purge => true,
config_file_replace => true,
package => 'SMCsudo',
package_ensure => 'present',
package_source => "URL/package,
config_file => '/usr/local/etc/sudoers',
config_dir => '/usr/local/etc/sudoers.d/',
package_admin_file => '/var/sadm/install/admin/puppet',
}
include sudo::configs
}
default: {
class { '::sudo':
purge => true,
config_file_replace => true,
config_dir => '/etc/sudoers.test/',
}
include sudo::configs
}
}

Thank you

The defined type sudo::conf should include sudo to avoid people using the module from having to do it.

Hi, I use this module mainly for snippets in /etc/sudoers.d/ . This is working fine. However, some servers need special custom snippets, which are managed locally. These snippets get deleted by puppet. Here is noop log:

$ puppetd --onetime --no-daemonize --verbose --server puppetmaster.local --noop
info: Caching catalog for developer
info: Applying configuration version '1334735640'
notice: /File[/etc/sudoers.d/android]/ensure: current_value file, should be absent (noop)
notice: /File[/etc/sudoers.d/java]/ensure: current_value file, should be absent (noop)
notice: Finished catalog run in 0.80 seconds

I am using your module with create_resources and I am getting this error:

Error: Failed to apply catalog: Parameter path failed on File[10_myusername]: File paths must be fully qualified, not '10_myusername' at /etc/puppet/modules/sudo/manifests/conf.pp:66

site.pp:
$sudoers = {
'myusername' => { priority => '10',
content => 'myusername ALL=(ALL) NOPASSWD: ALL',
}
}
create_resources(sudo::conf,$sudoers)

Perhaps I'm misreading this snippet:

class { 'sudo':
  config_file_replace => true,
}

but based on the documentation, it looks like this will replace the sudoers file. Should "true" actually be "false"?

Because $sudo::params::sudo_config_dir hasn't been included at the time a sudo::conf resource's parameters is being parsed, we get a catalog compile error when declaring sudo::confs without also adding an 'include sudo' elsewhere outside of the defined type itself.

Hi,

I'm not sure where this error can come from. I get:

Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, Lookup of key 'sudo::enable' failed: DataBinding 'hiera': datadir for yaml cannot be an array

enven if hiera.yaml is correctly configured, for instance:

:yaml: :datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hiera"

This errors only happens when I try to realize the sudo class:

include sudo

The Project URL in Puppet Forge is pointing to https://forge.puppetlabs.com/examplecorp/mymodule instead of https://github.com/saz/puppet-sudo

when running this module with --parser future option in Puppet 3.7 on debian 7.6 it throws an error:
Error: Evaluation Error: Error while evaluating a Function Call, create_resources(): second argument must be a hash at /puppet/modules/sudo/manifests/configs.pp:20:5 on node configtest.bbj.lan

I don't use Hiera, I also get the warning
Warning: Config file /etc/puppet/hiera.yaml not found, using Hiera defaults
but that doe not pose a problem with present parser. Unfortunately I do not get what happens at configs.pp so I cannot be a big help in solving this

I tried to install the module but its missing the manifests folder and some other things. You can deploy it from git successfully but using the 'puppet module install' command there were issues for me.

I've search for this repository and there is no mention for OpenBSD.

Will there be a love for OpenBSD in the future?

Hi,

this package does not include, imo, the support for sudoers.
Do you confirm?

If so, i can write a patch.

2 paths:

• automatic
• hiera

automatic means find for ldap or sss on nsswitch, plus using specific package (ie: sudo-ldap on debian)
hiera means flag to pull ldap support, and handle only the package.

This fails:

  sudo::conf { 'vagrant user':
    priority => 15,
    content  => "vagrant ALL=(ALL) NOPASSWD: ALL",
  }

This works:

  sudo::conf { 'vagrant_user':
    priority => 15,
    content  => "vagrant ALL=(ALL) NOPASSWD: ALL",
  }

It seems the code does not normalize the namevar to remove spaces. If alphanumeric is required throwing an error would be good.

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

This line seems to get removed when using this module on debian 7. Using sudo is complicated without.

As discussed, the current behaviour isn't expected. Additionally the documentation is wrong.

Switch back to the old behaviour.

On hosts where sudo is called very often, it's possible to run into situation during puppet runs when sudo fails after noticing a puppet temporary file (named like /etc/sudoers.d/10_foo_20150602-21614-13kol0h) and attempting to parse it.

Please also see https://tickets.puppetlabs.com/browse/PUP-4736

Hey!

It would be quite convenient to have a new release. I am for example interested in the fix for #138.

The default RHEL6 sudoers does not have Defaults requiretty, but your version does. I forked the module so I could make it a settable parameter but I got stuck when I ran into Augeas, which I haven't used before.

Would you consider adding requiretty as a settable boolean?

Thanks,
Jonathan

Hi,

First off, thanks for the awesome module :) There is one issue which we came accross, the metadata.json has trailing commas inside the bracketed parts on line 20 and line 23. They should not exist and json parsers (like jq) fail on it. I could write a pull request but such a small issue is probably easier fixed without :)

Thanks!

• Leon

On the Puppet Forge page for this module, the Project URL at the top is incorrect. It's just set to the default generic link.

https://forge.puppetlabs.com/saz/sudo

Howdy, I'm getting the following when attempting to apply the catalog to a node:

Info: Applying configuration version '1397793067'
Error: Could not apply complete catalog: Found 1 dependency cycle:
(Exec[sudo-syntax-check for file /etc/sudoers.d/5_sysadmins] => File[5_sysadmins] => Exec[sudo-syntax-check for file /etc/sudoers.d/5_sysadmins])
Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz
Notice: Finished catalog run in 0.32 seconds

If I comment out the following line, the /etc/sudoers.d/5_sysadmins file gets created and manually running "visudo -c " shows that it checks out OK. I'm also able to successfully run the sudo command for my user who is part of the wheel group.

    require => Exec["sudo-syntax-check for file ${cur_file}"],

The following is how I'm configuring the node in hiera

sudo::conf:
  sysadmins:
    priority: 5
    content: "%wheel ALL=(ALL) ALL"

Hi,

Couldn find a Subject for this. Sorry.

What i am trying to do , is to add users, groups from hiera to a template other than the users_groups.erb as that template grants ALL.

I ws thinking in having a template for a subset of commands permited defined already as Alias in sudoers (this is done)

<% @users.each do |user| -%>
<%= user %> ALL=(ALL) WEBADMINS
<% end -%>
<% @groups.each do |group| -%>
%<%= group %> ALL=(ALL) WEBADMINS

This is in order to avoid duplicating info in hiera for lets say i have to give two persons a sudo for:

"sudo::configs" : {
"sudo_web" : {
"content" : "username1 ALL=(ALL) WEBADMIN",
"priority" : 50
},
"sudo_web2" : {
"content" : "username2 ALL=(ALL) WEBADMIN",
"priority" : 50
}
},

I hope its clear the doubt. I dont know if now, this can be done without creating files per user, i mean creating each block in hiera per user. If this can be done in an add_user/group like manner, then i dont know how. If not, perhaps its a desired feature? Then i could help with the code.
Thanks!

Using saz/sudo v3.0.7 following snippet:

sudo::conf { 'operations':
source => "puppet:///modules/${module_name}/sudo/operations",
}

causes puppet error:

Error: Failed to apply catalog: Validation of File[10_operations] failed: You cannot specify more than one of content, source, target at /etc/puppet/environments/yyy/modules/sudo/manifests/conf.pp:104

Apparently it is caused by merging PR #77.
After this PR if $content_real => undef then content => "undef\n" which is incorrect.

What does the priority mean in your conf parameter?

I doesn't get the meaning through man sudoers

If I describe configuration via yaml files, i can't set sudo class parameters (here I want not to replace default configuration file /etc/sudoers). But i can't configure it through yaml.

sudo:
    config_file_replace: false
sudo::configs:
    hraphrap:
        content: "hraphrap    ALL=(ALL) NOPASSWD: ALL"

in node definition:

include sudo

puppet v3+