####Table of Contents
- New stuff and bug fixes
- Overview - What is the sudo module?
- Module Description - What does the module do?
- Setup - The basics of getting started with sudo
- Usage - The parameters available for configuration
- Implementation - An under-the-hood peek at what the module is doing
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Release Notes - Notes on the most recent updates to the module
I am moving away from using sudo::params as the primary API for the module and moving towards being able to define the classes resource style. Due to my recent foray into Vagrant, OpenStack and cloud-init I have added support for sudoers.d. It is disabled by default but I will be working towards enabling it for cloud-init and vagrant systems.
I recently started a consulting company called Abstract IT Pty Ltd. I have transfered ownership of all my puppet modules to a new organisation on Puppet Forge called abstractit. I am making one final release of my modules under rendhalver and abstractit to give you a chance to switch over to the new organisation. I have also added a licence. All my modules will be licenced under Apache v2.
Secure extensible sudo management with puppet.
Manages rules, commands, hosts and runas entries in sudo
what sudo affects:
- /etc/sudoers file
This will manage a basic setup for sudo.
include sudo
Defaults for vars to set if you need them. These are class variables so use hiera or and ENC to set them up easily.
Using sudo class
$sudo::sudoers_dot_d = false
# Whether to file in include sudoers.d
$sudo::full_fullaccess_group = $::operatingsystem ? { default => 'wheel', Debian => 'adm', Ubuntu => 'admin' }
# group of users with full sudo access
$sudo::extra_full_sudo_users = []
# array of extra users with full sudo access except shells and su itself
$sudo::requiretty = false
# whether you want a tty to exist for sudo ( I leave this unset because my monitoring setup uses sudo for some of it's commands )
$sudo::extra_path = undef
# extra path to include before the default
$sudo::extra_shells = undef
# extra shells on the node
$sudo::env_reset = true
# If the shell environment should be reset on sudo
$sudo::secure_path = '/sbin:/bin:/usr/sbin:/usr/bin'
# Force the PATH to be this, set to false to stop setting path
Using sudo::params class variables. This method will go away soon so please migrate to using sudo variables
$sudo::params::sudoers_dot_d = false
# Whether to file in include sudoers.d
$sudo::params::full_fullaccess_group = $::operatingsystem ? { default => 'wheel', Debian => 'adm', Ubuntu => 'admin' }
# group of users with full sudo access
$sudo::params::extra_full_sudo_users = []
# array of extra users with full sudo access except shells and su itself
$sudo::params::requiretty = false
# whether you want a tty to exist for sudo ( I leave this unset because my monitoring setup uses sudo for some of it's commands )
$sudo::params::extra_path = undef
# extra path to include before the default
$sudo::params::extra_shells = undef
# extra shells on the node
$sudo::params::env_reset = true
# If the shell environment should be reset on sudo
$sudo::params::secure_path = '/sbin:/bin:/usr/sbin:/usr/bin'
# Force the PATH to be this, set to false to stop setting path
sudo::rule { "extra_rule":
ensure => present,
who => 'bob',
runas => 'root', # default runas user is root, please change to override.
commands => "/usr/sbin/systemctl",
nopass => false, #
setenv => false,
comment => "what ever you like",
}
This type manages extra rules for sudo
Parameters within sudo::rule
Whether the rule should exist or not (present is the default)
The user running the command
The user to run commands as (Default is root)
can also be an array of commands for this rule
whether you want the user to supply a password or not (defaults to false)
whether you want to set the SETENV tag (defaults to false)
Interted above the rule to explain what it does
sudo::cmnd { "SYSTEMD":
ensure => present, # whether the rule should exist or not (present is the default)
what => '/usr/sbin/systemctl', # can also be an array of commands
cmnd => "BLAH", # name for these commands
comment => "what ever you like",
}
This type manages extra command sets for sudo
Parameters within sudo::cmnd
Whether the cmnd set should exist or not (present is the default)
Commands in this set, can be a variable or an array.
Name for this command set
Interted above the cmnd to explain what it does
sudo::host { "office":
ensure => present, # whether the rule should exist or not (present is the default)
where => 'nagios.example.com', # can also be an array of hosts
comment => "what ever you like",
}
This type manages host groups for sudo
Parameters within sudo::host
Whether the host group should exist or not (present is the default)
Host or array of hosts in this group
Description of this host group
sudo::line { "Icinga-no-tty":
ensure => present, # whether the rule should exist or not (present is the default)
line => 'Defaults:icinga !requiretty', # can also be an array of hosts
comment => "enable access for icinga without requiring tty",
}
This type manages pre-formatted lines to be inserted to sudoers
Parameters within sudo::line
Whether the specific line should exist or not (present is the default)
Optional content of the line to be managed
Optional description which is inserted befor the line
sudo::runas { "whoever":
ensure => present, # whether the rule should exist or not (present is the default)
who => 'bob', # can also be an array of users
comment => "what ever you like",
}
This type manages extra runas groups for sudo
Parameters within sudo::runas
Whether the runas group should exist or not (present is the default)
who this group contains, can be a variable or an array
Description of this runas group
uses templates and concat to manage the /etc/sudoers file
There may be some. Don't hesitate to let me know if you find any.
All development, testing and releasing is done by me at this stage. If you wish to join in let me know.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent