We use a script to edit /etc/sudoers temporarily to provide sudo access to clients for a limited time. A cron job checks for a var and after a defined time the line is deleted. But this way, /etc/sudoers can''t be managed by Puppet, because It will be overwritten by puppet. What should I use as a solution to this problem? Met vriendelijke groeten, Pieter Baele www.pieterb.be -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
By using the schedule metaparameter, you could have puppet only check sudoers outside of the time period when you grant temporary access. This might not be feasible if the time period is constantly changing though. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
But this way, /etc/sudoers can''t be managed by Puppet, because It will
be overwritten by puppet.
You could have your script set the immutable attribute on the sudoers file.
Then puppet won''t be able to change it.
chattr +i /etc/sudoers
When you want puppet to start managing the file again, remove the attribute.
chattr -i /etc/sudoers
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Fri, May 7, 2010 at 6:45 AM, Pieter Baele <pieter.baele@gmail.com> wrote:> We use a script to edit /etc/sudoers temporarily to provide sudo access to > clients for a limited time. > A cron job checks for a var and after a defined time the line is deleted. > > But this way, /etc/sudoers can''t be managed by Puppet, because It will be > overwritten by puppet. > > What should I use as a solution to this problem? >If you are using sudo v1.7.x (not the default on RHEL/Centos) you can use the #include feature of sudoers, to put your temp changes in a different file, and have puppet manage the master sudoers file. http://www.sudo.ws/sudo/man/sudoers.html#including_other_files_from_within_sudoers -Adam -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, May 7, 2010 at 19:51, Adam Crews <adam.crews@gmail.com> wrote:> On Fri, May 7, 2010 at 6:45 AM, Pieter Baele <pieter.baele@gmail.com> > wrote: > > We use a script to edit /etc/sudoers temporarily to provide sudo access > to > > clients for a limited time. > > A cron job checks for a var and after a defined time the line is deleted. > > > > But this way, /etc/sudoers can''t be managed by Puppet, because It will be > > overwritten by puppet. > > > > What should I use as a solution to this problem? > > > > If you are using sudo v1.7.x (not the default on RHEL/Centos) you can > use the #include feature of sudoers, to put your temp changes in a > different file, and have puppet manage the master sudoers file. > > > http://www.sudo.ws/sudo/man/sudoers.html#including_other_files_from_within_sudoers > > -Adam >Thx. It''s a possible solution. 1.7.x is default on 5.5 :-) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, May 7, 2010 at 19:10, John Philips <johnphilips42@yahoo.com> wrote:> > But this way, /etc/sudoers can''t be managed by Puppet, because It will be > overwritten by puppet. > > You could have your script set the immutable attribute on the sudoers > file. Then puppet won''t be able to change it. > > chattr +i /etc/sudoers > > When you want puppet to start managing the file again, remove the > attribute. > > chattr -i /etc/sudoers > > > I hadn''t thought about that possibility. I will try it.Met vriendelijke groeten, Pieter Baele www.pieterb.be -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Adam Crews <adam.crews@gmail.com> writes:> If you are using sudo v1.7.x (not the default on RHEL/Centos) you can > use the #include feature of sudoers, to put your temp changes in a > different file, and have puppet manage the master sudoers file. > > http://www.sudo.ws/sudo/man/sudoers.html#including_other_files_from_within_sudoersFWIW I love this feature. My puppet sudo module uses it to allow other modules to insert sudo stanzas. Much simpler to let them each manage their own sudo snippet, than to get concat file working. seph -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, 7 May 2010 10:10:16 -0700 (PDT) John Philips <johnphilips42@yahoo.com> wrote:> > But this way, /etc/sudoers can''t be managed by Puppet, because It > will be overwritten by puppet. You could have your script set the > immutable attribute on the sudoers file. Then puppet won''t be able > to change it. > > chattr +i /etc/sudoers > > When you want puppet to start managing the file again, remove the > attribute. > > chattr -i /etc/sudoers >But this will yield puppet errors and feels a bit hackish. What about using loading pam_time.so in /etc/pam.d/sudo ? Checkout time.conf(5) and pam_time(8). You can even manage pam configuration with puppet using the augeas type. Marc -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, May 7, 2010 at 6:45 AM, Pieter Baele <pieter.baele@gmail.com> wrote:> We use a script to edit /etc/sudoers temporarily to provide sudo access to > clients for a limited time. > A cron job checks for a var and after a defined time the line is deleted. > > But this way, /etc/sudoers can''t be managed by Puppet, because It will be > overwritten by puppet. > > What should I use as a solution to this problem? >Write a fact that checks for the same var as your cron job, and use that fact to manage /etc/sudoers conditionally in your manifests.> > > Met vriendelijke groeten, > Pieter Baele > www.pieterb.be > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On May 7, 2010, at 9:45 AM, Pieter Baele wrote:> We use a script to edit /etc/sudoers temporarily to provide sudo access to clients for a limited time. > A cron job checks for a var and after a defined time the line is deleted. > > But this way, /etc/sudoers can''t be managed by Puppet, because It will be overwritten by puppet.I use Augeas for `sudoers`. This allows you to manage individual entries, instead of replacing the entire file. For instance, this will add an entry for a user named “joe” unless that entry already exists. augeas { "sudojoe": context => "/files/etc/sudoers", changes => [ "set spec[last() + 1]/user joe", "set spec[last()]/host_group/host ALL", "set spec[last()]/host_group/command ALL", "set spec[last()]/host_group/command/runas_user ALL", ], onlyif => "match *[user = ''joe''] size == 0", } -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jun 1, 2010, at 11:47 AM, Rob McBroom wrote:> I use Augeas for `sudoers`. This allows you to manage individual entries, instead of replacing the entire file. For instance, this will add an entry for a user named “joe” unless that entry already exists. > > augeas { "sudojoe": > context => "/files/etc/sudoers", > changes => [ > "set spec[last() + 1]/user joe", > "set spec[last()]/host_group/host ALL", > "set spec[last()]/host_group/command ALL", > "set spec[last()]/host_group/command/runas_user ALL", > ], > onlyif => "match *[user = ''joe''] size == 0", > }As I posted that, I thought there might be a better way (even though I''ve been using the above for weeks). Here''s the better way: augeas { "sudojoe": context => "/files/etc/sudoers", changes => [ "set spec[user = ''joe'']/user joe", "set spec[user = ''joe'']/host_group/host ALL", "set spec[user = ''joe'']/host_group/command ALL", "set spec[user = ''joe'']/host_group/command/runas_user ALL", ], } This creates the user''s entry only if it doesn''t exist, but has the added benefit that changes to the host, command, etc. will get applied to an existing entry. The original would create an entry, but would never modify it if it existed. -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
> On Jun 1, 2010, at 11:47 AM, Rob McBroom wrote: > >> I use Augeas for `sudoers`. This allows you to manage individualentries,>> instead of replacing the entire file. For instance, this will add an >> entry for a user named “joe” unless that entry already exists. >> >> augeas { "sudojoe": >> context => "/files/etc/sudoers", >> changes => [ >> "set spec[last() + 1]/user joe", >> "set spec[last()]/host_group/host ALL", >> "set spec[last()]/host_group/command ALL", >> "set spec[last()]/host_group/command/runas_user ALL", >> ], >> onlyif => "match *[user = ''joe''] size == 0", >> }I''ve only been following this thread on and off, so forgive me if someone else mentioned it already - but one solution to your problem could be pam_time. This allows you to create a file that lists when users can access the system. If the people you are restricting are still accessing the system 24/7 (and are only limited in commands they can run at certain times), then this may not be the best solution for you. However, if you only want certain users to be able to do certain things on certain systems at certain times, this may be a better solution than cron''ing jobs to modify files :) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.