Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-sudo', '5.5.0'
Learn more about managing modules with a PuppetfileDocumentation
sudo
Table of Contents
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with sudo
- Usage - Configuration options and additional functionality
- Reference
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Acceptance Tests
Module Description
Constructs a sudoers file based on configuration aliases, defaults, and user specifications.
Setup
What sudo affects
sudo will ensure the sudo package is installed, and will manage /etc/sudoers.
Setup Requirements
The only necessary steps to begin using sudo is the install pupmod-simp-sudo
into your modulepath
Beginning with sudo
To create the default SIMP /etc/sudoers file:
include 'sudo'
Usage
Add a user to sudoers
Giving a user root permissions
# NOTE: '%' in sudo signifies a group
# %powerusers is the powerusers group
sudo::user_specification { 'power_users':
user_list => [ 'persona', 'personb', '%powerusers' ],
runas => 'root',
cmnd => [ '/bin/su root', '/bin/su - root' ]
}
Giving a system user access to a command without root
sudo::user_specification { 'myapp':
user_list => [ 'myappuser' ],
runas => 'root',
cmnd => [ '/usr/bin/someservice' ],
passwd => false,
}
Create a sudo default entry
To create a defaults line in sudoers:
# Creates Defaults requiretty, syslog=authpriv, !root_sudo, !umask, env_reset
sudo::default_entry { '00_main':
content => [ 'requiretty',
'syslog=authpriv',
'!root_sudo',
'!umask',
'env_reset',
],
}
Create an alias
To create the following alias in sudoers:
User_Alias FULLTIMERS = millert, mikef, dowdy
sudo::alias { 'FULLTIMERS':
content => [ 'millert','mikef','dowdy' ],
alias_type => 'user'
}
Additionally, these may be called by additional defined types for user, cmnd, host, or runas for easier readibility:
sudo::alias::user { 'FULLTIMERS':
content => [ 'millert','mikef','dowdy' ],
}
Reference
Classes
Public Classes
- sudo: Handles main /etc/sudoers file
Defined Types
- sudo::default_entry: Creates default entry
- sudo::user_specification: Creates user entry
- sudo::alias: Creates Aliases (Used by all other sudo::alias types)
- sudo::alias::cmnd: Creates Command Aliases
- sudo::alias::host: Creates Host Aliases
- sudo::alias::runas: Creates Run As Aliases
- sudo::alias::user: Creates User Aliases
Limitations
SIMP Puppet modules are generally intended to be used on a Red Hat Enterprise Linux-compatible distribution.
Development
Please read our Contribution Guide.
If you find any issues, they can be submitted to our JIRA.
Acceptance tests
To run the system tests, you need Vagrant
installed.
You can then run the following to execute the acceptance tests:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug
: show the commands being run on the STU and their output.BEAKER_destroy=no
: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes
: cause all module dependencies to be loaded from thespec/fixtures/modules
directory, based on the contents of.fixtures.yml
. The contents of this directory are usually populated bybundle exec rake spec_prep
. This can be used to run acceptance tests to run on isolated networks.
Reference
Table of Contents
Classes
sudo
: Constructs a sudoers file based on configured aliases, defaults, and user specifications.
Defined types
sudo::alias
: Adds an alias to /etc/sudoers. See the 'Aliases' section of sudoers (5) for information about aliases Use the alias definition: aliassudo::alias::cmnd
: Convenience definition for adding a cmnd alias.sudo::alias::host
: Convenience definition for adding a host alias.sudo::alias::runas
: Convenience definition for adding a runas alias.sudo::alias::user
: Convenience definition for adding a user alias.sudo::default_entry
: Adds an entry to the defaults section of /etc/sudoers in order to override runtime defaults. See the 'Defaults' section of sudoers(5) for morsudo::user_specification
: Add a user_spec entry to /etc/sudoers in order to determine which commands a user may run as the given user on the given host. See the 'User
Functions
sudo::update_runas_list
: This function is used to help mitigate CVE-2019-14287 for sudo version prior to 1.8.28. It will disallow userid/groupid of -1 if ALL or %A
Data types
Sudo::AliasType
: Matches the list of configuration items for which aliases can be set in the sudeors file.Sudo::DefType
: Matches the list configuration items for which defaults can be set in the sudoers file.
Classes
sudo
Constructs a sudoers file based on configured aliases, defaults, and user specifications.
Parameters
The following parameters are available in the sudo
class.
user_specifications
Data type: Optional[Hash]
A hash of sudo::user_specification resources that can be set in hiera Example:
sudo::user_specifications: simp_su: user_list: ['simp'] cmnd: ['/bin/su'] users_yum_update: user_list:
- '%users'
cmnd:
- 'yum update'
test_resource:
user_list: ['%group']
cmnd: ['w']
runas: root
passwd: true
Default value: undef
package_ensure
Data type: String
The ensure status of packages to be managed
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
Defined types
sudo::alias
Adds an alias to /etc/sudoers. See the 'Aliases' section of sudoers (5) for information about aliases
Use the alias definition: alias { 'user_alias': content => [ 'millert','mikef','dowdy' ], alias_type => 'user' }
Examples
To create the following alias in sudoers:
User_Alias FULLTIMERS = millert, mikef, dowdy
Parameters
The following parameters are available in the sudo::alias
defined type.
content
Data type: Array[String[1]]
The array of items that will be the content of this alias. For example: 'administrators', 'wheel'
alias_type
Data type: Sudo::AliasType
The type of alias to create. One of 'user', 'runas', 'host' or 'cmnd'
comment
Data type: Optional[String[1]]
Textual comment for this entry
Default value: undef
order
Data type: Integer
If desired, force the order of this entry relative to other entries. Usually not required.
Default value: 10
sudo::alias::cmnd
Convenience definition for adding a cmnd alias.
Parameters
The following parameters are available in the sudo::alias::cmnd
defined type.
content
Data type: Array[String[1]]
A comma-separated list of commands that will comprise this alias. For example: ['/usr/sbin/shutdown', '/usr/sbin/reboot']
comment
Data type: Optional[String[1]]
Textual comment for this entry.
Default value: undef
order
Data type: Integer
If desired, force the order of this entry relative to other entries. Usually not required.
Default value: 10
sudo::alias::host
Convenience definition for adding a host alias.
Parameters
The following parameters are available in the sudo::alias::host
defined type.
content
Data type: Array[String[1]]
A comma-separated list of hostnames or IP addresses that will comprise the alias. For example: ['1.2.3.4', '5.6.7.8'] or ['mail', 'www']
comment
Data type: Optional[String[1]]
Textual comment for this entry
Default value: undef
order
Data type: Integer
If desired, force the order of this entry relative to other entries. Usually not required.
Default value: 12
sudo::alias::runas
Convenience definition for adding a runas alias.
Parameters
The following parameters are available in the sudo::alias::runas
defined type.
content
Data type: Array[String[1]]
A comma-separated list of hostnames or IP addresses that will comprise the alias. For example: ['millert', 'mikef']
comment
Data type: Optional[String[1]]
Textual comment for this entry
Default value: undef
order
Data type: Integer
If desired, force the order of this entry relative to other entries. Usually not required.
Default value: 14
sudo::alias::user
Convenience definition for adding a user alias.
Parameters
The following parameters are available in the sudo::alias::user
defined type.
content
Data type: Array[String[1]]
A comma-separated list of users that will comprise this alias. For example: ['millert', 'mikef']
comment
Data type: Optional[String[1]]
Textual comment for this entry
Default value: undef
order
Data type: Integer
If desired, force the order of this entry relative to other entries. Usually not required.
Default value: 16
sudo::default_entry
Adds an entry to the defaults section of /etc/sudoers in order to override runtime defaults. See the 'Defaults' section of sudoers(5) for more information.
Examples
To create the following defaults line in sudoers:
Defaults requiretty, syslog=authpriv, !root_sudo, !umask, env_reset, env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"
Use the default_entry definition:
sudo::default_entry { '00_main':
content => [ 'requiretty',
'syslog=authpriv',
'!root_sudo',
'!umask',
'env_reset',
'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"' ]
}
Parameters
The following parameters are available in the sudo::default_entry
defined type.
content
Data type: Array[String[1]]
The content of this entry.
target
Data type: Optional[String[1]]
The user, host, etc hash is the target of the content. Leave as undef to not specify a target.
Default value: undef
def_type
Data type: Sudo::DefType
May be one of:
- base => Global
- cmnd => Cmnd Entry
- host => Host Entry
- user => User Entry
- runas => Runas Entry
Default value: 'base'
sudo::user_specification
Add a user_spec entry to /etc/sudoers in order to determine which commands a user may run as the given user on the given host. See the 'User Specification' section of sudoers(5) for more information. Note that the 'Tag_Spec' entries have been explicitly noted below.
Examples
To create the following in /etc/sudoers:
`simp, %simp_group user2-dev1=(root) PASSWD:EXEC:SETENV: /bin/su root, /bin/su - root`
Use the user_specification definition:
sudo::user_specification { 'default_simp':
user_list => [ 'simp', '%simp_group' ],
runas => 'root',
cmnd => [ '/bin/su root', '/bin/su - root' ]
}
Parameters
The following parameters are available in the sudo::user_specification
defined type.
user_list
Data type: Array[String[1]]
Array of users or groups that should be able to execute a command. Groups must be preceded by %.
cmnd
Data type: Array[String[1]]
Should be an array of commands you wan to run.
host_list
Data type: Array[Simplib::Hostname,1]
Array of hosts where the specified users should be able to execute a command.
Default value: [$facts['hostname'], $facts['fqdn']]
runas
Data type: Variant[String[1],Array[String[1]]]
Can be an array of users that you need to be able to run the commands as. It will probably just be one user in most cases.
Default value: ['root']
passwd
Data type: Boolean
Set PASSWD in /etc/sudoers
Default value: true
doexec
Data type: Boolean
Set EXEC in /etc/sudoers
Default value: true
setenv
Data type: Boolean
Set SETENV in /etc/sudoers
Default value: true
options
Data type: Hash
Set additional options (such as SELinux role or type, date restrictions, or timeout)
Default value: {}
Functions
sudo::update_runas_list
Type: Ruby 4.x API
This function is used to help mitigate CVE-2019-14287 for sudo version prior to 1.8.28. It will disallow userid/groupid of -1 if ALL or %ALL is used.
sudo::update_runas_list(Array[String] $content)
Note: Added even if !root is not present because it will skip over some auditing if #-1 is used.
Returns: Array[String]
An Array of users to add to a Runas_list in sudo that
appends not -1 if 'ALL' or '%ALL' are used to avoid
giving unintentional root access or skip auditing.
content
Data type: Array[String]
An array of users/groups to add to a Runas_list in sudo
sudo::update_runas_list(String $content)
Note: Added even if !root is not present because it will skip over some auditing if #-1 is used.
Returns: Array[String]
An Array of users to add to a Runas_list in sudo that
appends not -1 if 'ALL' or '%ALL' are used to avoid
giving unintentional root access or skip auditing.
content
Data type: String
A string of one user/group id to to Runas_list.
Data types
Sudo::AliasType
Matches the list of configuration items for which aliases can be set in the sudeors file.
Alias of Enum['user', 'runas', 'host', 'cmnd']
Sudo::DefType
Matches the list configuration items for which defaults can be set in the sudoers file.
Alias of Enum['base', 'cmnd', 'host', 'user', 'runas']
- Mon Nov 29 2021 Mike Riddle mike@sicura.us - 5.5.0
- Added the ability for users to create include clauses in sudoers
- Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 5.4.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Sat Dec 19 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 5.3.2
- Removed EL6 support
- Tue Jun 09 2020 Arjen Zonneveld arjenz@users.noreply.github.com - 5.3.1-0
- Fixed docs for user_list Array type
- Tue Jun 09 2020 Steven Pritchard steven.pritchard@onyxpoint.com - 5.3.0-0
- Add parameters for sudo::default_entry and sudo::alias defined types
- Tue Feb 04 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 5.2.1-0
- Update for EL8.
- CVE-2019-14287 mitigation. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287 for more information
- Do not allow the use of userid or group id of -1 when ALL or %ALL are used in the runas section of a sudo user specification and the version of sudo is earlier than 1.8.28.
- Wed Sep 25 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 5.2.1-0
- Deep merge user_specifications by default
- Add support for simp/simplib < 7
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 5.2.1-0
- Support puppetlabs/concat 6.x.
- Wed Jun 12 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 5.2.0-0
- Allow additional options in sudo::user_specification
- Add Puppet 6 support
- Remove Puppet 4 support
- Allow puppetlabs/stdlib < 7
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 5.1.2-0
- Expanded the upper limit of the concat and stdlib Puppet module versions
- Updated URLs in the README.md
- Thu Nov 15 2018 Martin Merfort martin.merfort@sixt.com - 5.1.1-0
- Enable support for cmnd def_type
- Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 5.1.0-0
- Added $package_ensure parameter
- Changed the package from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- Thu Sep 13 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 5.1.0-0
- Added support for Puppet 5 and OEL
- Modified uspec template to handle the RedHat OS family instead of just RHEL or CentOS
- Fri Aug 24 2018 Trevor Vaughan tvaughan@onyxpoint.com - 5.1.0-0
- Replaced all references to 'sudosh' with 'su' to reduce future confusion as we move away from using sudosh.
- Fri Aug 17 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 5.0.6-0
- Added minimum size for sudo::user_specification::hostlist, because an empty list is not permitted.
- Wed Jun 20 2018 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.5-0
- Add both fqdn and hostname to user_specification entries by default
- Fri Feb 09 2018 Liz Nemsick lnemsick.simp@gmail.com - 5.0.4-0
- Update upperbound on puppetlabs/concat version to < 5.0.0
- Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 5.0.3-0
- Update concat version in metadata.json
- Add concat dependency to build/rpm_metadata/requires
- Thu Jul 06 2017 Liz Nemsick lnemsick.simp@gmail.com - 5.0.2-0
- Confine puppet version in metadata.json
- Fri Feb 03 2017 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.1-0
- Fixed the validation command on the concat resource to actually validate the temp file prior to putting it in place
- Thu Jan 05 2017 Nick Miller nick.miller@onyxpoint.com - 5.0.1-0
- Added feature to add sudo::user_specification resources from hiera
- Wed Jan 04 2017 Nick Miller nick.miller@onyxpoint.com - 5.0.1-0
- Strong typed module
- Updated for Puppet 4
- Changed validate cmd to be valid
- Thu Dec 01 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.1-0
- Removed unnecessary pupmod-simp-rsync dependency
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Minor cleanup
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.
- Fri Aug 05 2016 Nick Markowski nmarkowski@keywcorp.com - 4.1.2-0
- Updated the user_specification docs and spec.
- Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-0
- Migration to semantic versioning and fix of the build system
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-3
- migration to simplib and simpcat (lib/ only)
- Thu Sep 03 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-2
- Removed use of lsb facts. Updated travis framework to match skeleton.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Changed puppet-server requirement to puppet
- Fri Apr 11 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Removed the sudo::pull_remote class.
- Wed Feb 12 2014 Kendall Moore kmoore@keywcorp.com - 2.1.0-0
- Updated templates to use native booleans instead of strings.
- Tue Jan 14 2014 Nick Markowski nmarkowski@keywcorp.com - 2.1.0-0
- Updated module for puppet3/hiera compatibility, lint tests, rspec tests.
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 2.0.0-9
- Updated all erb templates to properly scope variables.
- Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-8
- Use 'versioncmp' for all version comparisons.
- Thu Sep 12 2013 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.7
- Updated the example documentation to note that authpriv should be used instead of auth so that syslog picks it up properly.
- Mon Feb 25 2013 Maintenance 2.0-6
- Added a call to $::rsync_timeout to the rsync call since it is now required.
- Thu Dec 20 2012 Maintenance 2.0.0-5
- Created a Cucumber test to add a sudo entry using the sudo module and ensure the sudoers entry is properly written.
- Thu Jun 07 2012 Maintenance 2.0.0-4
- Ensure that Arrays in templates are flattened.
- Call facts as instance variables.
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance 2.0.0-3
- Improved test stubs.
- Mon Dec 26 2011 Maintenance 2.0.0-2
- Updated the spec file to not require a separate file list.
- Scoped all of the top level variables.
- Fri Feb 11 2011 Maintenance 2.0.0-1
- Updated to use rsync native type
- Updated to use concat_build and concat_fragment types.
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Tue Oct 26 2010 Maintenance - 1-2
- Converting all spec files to check for directories prior to copy.
-
Mon Oct 04 2010 Maintenance 1.0-1 Update to ensure that any rsync modifications are not accidentally removed.
-
Tue May 25 2010 Maintenance 1.0-0
- Code refactoring.
- Tue May 04 2010 Maintenance 0.2-6
- Removed strict checking and changed mode of sudoers.new to 440 to support the new visudo with RHEL5.5
- Wed Mar 17 2010 Maintenance 0.2-5
- Code refactor for puppet 0.25.4 de-looping.
Dependencies
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- simp/simplib (>= 3.1.0 < 5.0.0)
pupmod-simp-sudo - A Puppet Module for managing sudoers -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.