thr3ads.net - Puppet users - [Puppet Users] Trying to write a visudo checker [Mar 2011]

If this information is useful, please help other people find it:
Share via:

Rich Rauenzahn

2011-Mar-04 02:21 UTC

[Puppet Users] Trying to write a visudo checker

This visudo checker I''ve written (based on some examples from the web
and puppet training materials) causes a dependency loop -- but only
when I include the unless => "diff ...".  It seems someone got
clever
and decided to look at exec''s and look for managed filenames in
argument lists and create implicit dependencies from them?  Argh!

I also tried just making the exec a refreshonly from the sudoers_check
file''s notify, but then the sudoers file itself ignored the bad return
from the exec even though it requires => the exec.

My best solution so far is to just let the visudo run every time...

$ puppet --version
2.6.4

define sudo::fragment($source, $order=10) {
    concat::fragment { "${name}_sudoers":
        source => $source,
        target => $sudo::config::sudoers,
    }
    concat::fragment { "${name}_sudoers_check":
        source => $source,
        target => $sudo::config::sudoers_check,
    }
}

class sudo::config($sudoers="/etc/sudoers") {
    $sudoers_check = "${sudoers}.check"
}

class sudo {
    include concat::setup
    $sudoers = $sudo::config::sudoers
    $sudoers_check = $sudo::config::sudoers_check
    package { "sudo":
        ensure => installed,
    }
    concat { $sudoers_check:
        owner   => root,
        group   => root,
        mode    => 440,
        warn    => true,
    }
    exec { "visudo -cf $sudoers_check":
        path        => "/usr/sbin/:/usr/bin",
        require     => [Concat[$sudoers_check], Package["sudo"]],
        unless      => "diff $sudoers $sudoers_check",
    }
    concat { $sudoers:
        owner   => root,
        group   => root,
        mode    => 440,
        require => [Exec["visudo -cf $sudoers_check"],
File[$sudoers_check]],
        warn    => true,
    }
}

class { "sudo::config": sudoers => "/tmp/sudoers" }

sudo::fragment { "ob":
        source       => "puppet:///modules/sudo/sudoers",
        #source       => "/etc/passwd",
 }

err: Could not apply complete catalog: Found dependency cycles in the
following relationships: Exec[visudo -cf /tmp/sudoers.check] =>
File[/var/lib/puppet/concat/_tmp_sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments], Exec[visudo -cf
/tmp/sudoers.check] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments], Exec[visudo -cf
/tmp/sudoers.check] => File[/tmp/sudoers], Exec[concat_/tmp/sudoers]
=> File[/tmp/sudoers], File[/tmp/sudoers] => Exec[visudo -cf
/tmp/sudoers.check],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments/10_ob_sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers] =>
Exec[concat_/tmp/sudoers], File[/var/lib/puppet/concat/_tmp_sudoers]
=> Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =>
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =>
Exec[concat_/tmp/sudoers], Exec[visudo -cf /tmp/sudoers.check] =>
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments/10_ob_sudoers] =>
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out] =>
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat] =>
Exec[concat_/tmp/sudoers], File[/var/lib/puppet/concat/_tmp_sudoers]
=> File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out],
Exec[visudo -cf /tmp/sudoers.check] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out],
File[/var/lib/puppet/concat/_tmp_sudoers] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat],
Exec[visudo -cf /tmp/sudoers.check] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat]; try using
the ''--graph'' option and open the ''.dot''
files in OmniGraffle or
GraphViz

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Alan Barrett

2011-Mar-04 08:23 UTC

head link

Re: [Puppet Users] Trying to write a visudo checker

On Thu, 03 Mar 2011, Rich Rauenzahn wrote:> It seems someone got clever and decided to look at exec''s and 
> look for managed filenames in argument lists and create implicit 
> dependencies from them?  Argh!
Yes, the unwanted dependencies are very annoying.  Using file 
names like /dir/subdir/./file instead of /dir/subdir/file is 
enough to fool the code that adds implicit dependencies.

--apb (Alan Barrett)

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Rich Rauenzahn

2011-Mar-04 18:49 UTC

head link

Re: [Puppet Users] Trying to write a visudo checker

On 3/4/2011 12:23 AM, Alan Barrett wrote:> On Thu, 03 Mar 2011, Rich Rauenzahn wrote:
>> It seems someone got clever and decided to look at exec''s and
look
>> for managed filenames in argument lists and create implicit 
>> dependencies from them?  Argh!
>
> Yes, the unwanted dependencies are very annoying.  Using file names 
> like /dir/subdir/./file instead of /dir/subdir/file is enough to fool 
> the code that adds implicit dependencies.
>
Ah, what I did instead was just do exec => "diff /.$path1
/.$path2".   I
was imagining doing much more invasive methods last night.  Thanks!

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

John Warburton

2011-Mar-06 23:19 UTC

head link

Re: [Puppet Users] Trying to write a visudo checker

On 4 March 2011 13:21, Rich Rauenzahn <rrauenza@gmail.com> wrote:
> This visudo checker I''ve written (based on some examples from the
web
> and puppet training materials) causes a dependency loop -- but only
>
I''ve approached the problem from another direction and we have a
subversion
pre-commit hook for the sudoers file...

     case $file in
         */sudoers)
             OUTPUT=`/usr/sbin/visudo -c -q -f $TMPFILE 2>&1`
             if [ $? -ne 0 ] ; then
                 echo "sudoers syntax error in $file" >&2
                 echo "$OUTPUT" >&2
                 exit 1
             fi
         ;;

John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Puppet users - Mar 2011 - Trying to write a visudo checker

[Puppet Users] Trying to write a visudo checker

Re: [Puppet Users] Trying to write a visudo checker

Re: [Puppet Users] Trying to write a visudo checker

Re: [Puppet Users] Trying to write a visudo checker