-- mode: markdown; mode: visual-line; --

Configure and manage sudo and sudoers files

  Copyright (c) 2020 UL HPC Team <[email protected]>

| Project Page | Sources | Documentation | Issues |

Manage sudo configuration via Puppet.

This module implements the following elements:

• Puppet classes:

  • sudo
  • sudo::common
  • sudo::common::debian
  • sudo::common::redhat
  • sudo::params

• Puppet definitions:

  • sudo::alias::command
  • sudo::alias::host
  • sudo::alias::user
  • sudo::conf
  • sudo::defaults::spec
  • sudo::directive

All these components are configured through a set of variables you will find in manifests/params.pp.

Note: the various operations that can be conducted from this repository are piloted from a Rakefile and assumes you have a running Ruby installation. See docs/contributing.md for more details on the steps you shall follow to have this Rakefile working properly.

See metadata.json. In particular, this module depends on

• puppetlabs/stdlib
• puppetlabs/concat

This is the main class defined in this module. Use it as follows:

 include ' sudo'

See also tests/init.pp

The definition sudo::directive provides a simple way to write sudo configurations parts. If you use a sudo version >= 1.7.2, the sudo directive part is validated via visudo and removed if syntax is not correct. This definition accepts the following parameters:

• $ensure: default to 'present', can be 'absent' (BEWARE: it will remove the associated file)
• $content: specify the contents of the directive as a string
• $source: copy a file as the content of the directive.

Example:

  sudo::directive {'admin_users':
       content => "%admin ALL=(ALL) ALL\n",
  }

  sudo::directive {'vagrant':
    content => "%vagrant ALL=(ALL) NOPASSWD: ALL\n"
  }

On recent version of sudo, this will typically create a new file /etc/sudoers.d/admin_users (or /etc/sudoers.d/vagrant).

See also tests/directive.pp

Permits to define a command alias in the sudoers files (directive Cmnd_Alias) These are groups of related commands...

This definition accepts the following parameters:

• $ensure: default to 'present', can be 'absent'
• $commandlist: List of commands to add in the definition of the alias

Example:

 sudo::alias::command{ 'NETWORK':
      cmdlist => [ '/sbin/route', '/sbin/ifconfig', '/bin/ping', '/sbin/dhclient', '/sbin/iptables' ]
 }

This will create the following entry in the sudoers files:

 ## Networking
 Cmnd_Alias NETWORK = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /sbin/iptables

See also tests/alias/command.pp

Permits to define a user alias in the sudoers files (directive User_Alias) These aren't often necessary, as you can use regular groups (ie, from files, LDAP, NIS, etc) in this file - just use %groupname rather than USERALIAS

This definition accepts the following parameters:

• $ensure: default to 'present', can be 'absent'
• $commandlist: list of users to add in the definition of the alias

Example:

  sudo::alias::user{ 'ADMINS':
      userlist => [ 'jsmith', 'mikem' ]
  }

This will create the following entry in the sudoers files:

  User_Alias ADMINS = jsmith, mikem

See also tests/alias/user.pp

Permits to define a default specifications This definition accepts the following parameters:

• $ensure: default to 'present', can be 'absent'
• $content: specify the contents of the directive as a string
• $source: copy a file as the content of the directive.

Examples

 sudo::defaults::spec { 'env_keep':
       content => "
  Defaults    env_reset
  Defaults    env_keep =  \"COLORS DISPLAY HOSTNAME LS_COLORS\"
  Defaults    env_keep += \"MAIL PS1 PS2 USERNAME LANG LC_ADDRESS LC_CTYPE\"
  Defaults    env_keep += \"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\"
  Defaults    env_keep += \"LC_TIME LC_ALL LANGUAGE\"\n",
  }

This will create the following entry in the sudoers files:

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE"

See also tests/defaults/spec.pp

You can of course configure the sudo module in your Puppetfile to make it available with Librarian puppet or r10k by adding the following entry:

 # Modules from the Puppet Forge
 mod "ULHPC-sudo"

or, if you prefer to work on the git version:

 mod "ULHPC-sudo",
     :git => 'https://github.com/ULHPC/puppet-sudo',
     :ref => 'production'

You can submit bug / issues / feature request using the ULHPC-sudo Puppet Module Tracker.

If you want to contribute to the code, you shall be aware of the way this module is organized. These elements are detailed on docs/contributing.md.

You are more than welcome to contribute to its development by sending a pull request.

The best way to test this module in a non-intrusive way is to rely on Vagrant. The Vagrantfile at the root of the repository pilot the provisioning various vagrant boxes available on Vagrant cloud you can use to test this module.

See docs/vagrant.md for more details.

Read the Docs aka RTFD hosts documentation for the open source community and the ULHPC-sudo puppet module has its documentation (see the docs/ directly) hosted on readthedocs.

See docs/rtfd.md for more details.

This project and the sources proposed within this repository are released under the terms of the GPL-3.0 licence.