Is anyone having success with #includedir option in sudo? I have a module that uses a definition to create files in /etc/sudoers.d/ which is referenced in the main suders file as #includedir "/etc/sudoers", but these entries are not getting referenced when sudo is used. I''m running CentOS 5 and 6, which which sudo-1.7.2p1 and sudo-1.7.2p2 respectively. Here''s a weird symptom the problem I''m having... # visudo -c -f /etc/sudoers.d/zabbix-puppet>>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<parse error in /etc/sudoers.d/zabbix-puppet near line 0 (((NOTE: I made absolutely no changes , just did ":q"))) # visudo -f /etc/sudoers.d/zabbix-puppet>>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<<# visudo -c -f /etc/sudoers.d/zabbix-puppet /etc/sudoers.d/zabbix-puppet: parsed OK This is my sudoers file... ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the ''visudo'' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren''t often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, / sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/ wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/ partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, / bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/ killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh -t hostname sudo <cmd>". # ## Defaults requiretty # # Preserving HOME has security implications since many programs # use it when searching for configuration files. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" # Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the ''sys'' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now #includedir "/etc/sudoers.d" And this is the /etc/sudoers.d/zabbix-puppet zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet What''s so strange is if I take that exact line, and put it in /etc/ sudoers , it works just fine. So I know the syntax and such is correct, however it doesn''t get called via #includedir. Thanks - Trey -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Len Rugen
2011-Aug-01 20:47 UTC
Re: [Puppet Users] Managing sudo via puppet using #includedir
It''s working here for RHEL 5 & 6. Check the owner and perms of sudoers.d, that''s probably not your problem, but it''s the only one we''ve had. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
treydock
2011-Aug-01 21:49 UTC
[Puppet Users] Re: Managing sudo via puppet using #includedir
From the sudoer docs it mentioned making the files in /etc/sudoers.d be 440, but what about the folder? Here''s the perms on /etc/sudoers.d drwxr-xr-x 2 root root 4096 Jul 26 19:16 . drwxr-xr-x. 64 root root 4096 Jul 26 19:16 .. -r--r----- 1 root root 53 Jul 26 19:16 zabbix-puppet - Trey On Aug 1, 3:47 pm, Len Rugen <lenru...@gmail.com> wrote:> It''s working here for RHEL 5 & 6. Check the owner and perms of sudoers.d, > that''s probably not your problem, but it''s the only one we''ve had.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nathan Clemons
2011-Aug-01 21:56 UTC
Re: [Puppet Users] Re: Managing sudo via puppet using #includedir
These are the perms we''re using for that functionality: dr-xr-x--- 2 root root 4096 Jul 7 18:09 /etc/sudoers.d -- Nathan Clemons http://www.livemocha.com The worlds largest online language learning community On Mon, Aug 1, 2011 at 2:49 PM, treydock <treydock@gmail.com> wrote:> From the sudoer docs it mentioned making the files in /etc/sudoers.d > be 440, but what about the folder? Here''s the perms on /etc/sudoers.d > > drwxr-xr-x 2 root root 4096 Jul 26 19:16 . > drwxr-xr-x. 64 root root 4096 Jul 26 19:16 .. > -r--r----- 1 root root 53 Jul 26 19:16 zabbix-puppet > > - Trey > > On Aug 1, 3:47 pm, Len Rugen <lenru...@gmail.com> wrote: > > It''s working here for RHEL 5 & 6. Check the owner and perms of > sudoers.d, > > that''s probably not your problem, but it''s the only one we''ve had. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
vagn scott
2011-Aug-01 23:35 UTC
Re: [Puppet Users] Managing sudo via puppet using #includedir
On 08/01/2011 01:41 PM, treydock wrote:> #includedir "/etc/sudoers.d" >Maybe without the quotation marks? -- vagn -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
treydock
2011-Aug-01 23:59 UTC
[Puppet Users] Re: Managing sudo via puppet using #includedir
Ok , so this was actually two problems... The first , can''t have quotes around the folder location in #includedir... Second is the way I was populating those files... Here''s the sudo module definition... define sudo::directive ( $ensure=present, $content="", $source="" ) { # sudo skipping file names that contain a "." $dname = regsubst($name, ''\.'', ''-'', ''G'') file {"/etc/sudoers.d/${dname}": ensure => $ensure, owner => root, group => root, mode => 0440, content => $content ? { "" => undef, default => $content, }, source => $source ? { "" => undef, default => $source, }, require => Package["sudo"], } } The "content" method doesn''t work, or at least not in the way I''ve implemented it... So this doesn''t work... sudo::directive { "zabbix-puppet": ensure => present, content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/ start_puppet", #source => "puppet:///files/zabbix_sudocmd", } And this works... sudo::directive { "zabbix-puppet": ensure => present, #content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/ start_puppet", source => "puppet:///files/zabbix_sudocmd", } The file "zabbix_sudocmd" contains the same text as the "Content" line, however it seems to not add a necessary new line character, as this is the debug output from puppet when I change from "source" to "content"... debug: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/ File[/etc/sudoers.d/zabbix-puppet]/content: Executing ''diff -u /etc/ sudoers.d/zabbix-puppet /tmp/puppet-file20110801-18801-1wfv1td-0'' --- /etc/sudoers.d/zabbix-puppet 2011-08-01 18:45:16.248138294 -0500 +++ /tmp/puppet-file20110801-18801-1wfv1td-0 2011-08-01 18:53:53.566133754 -0500 @@ -1 +1 @@ -zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet +zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet \ No newline at end of file debug: file_bucket_file supports formats: b64_zlib_yaml marshal pson raw yaml; using yaml info: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/ File[/etc/sudoers.d/zabbix-puppet]: Filebucketed /etc/sudoers.d/zabbix- puppet to main with sum 2ecb3670db9e458970153bf00d64b325 notice: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/ File[/etc/sudoers.d/zabbix-puppet]/content: content changed ''{md5} 2ecb3670db9e458970153bf00d64b325'' to ''{md5} 348da8bc5d9eacaf6334b092d95001eb'' Notice the "No newline at end of file"... I can use "content" if I add a "\n" to the end of the line, which doesn''t seem like it should be necessary, but it works. Thanks!! - Trey On Aug 1, 6:35 pm, vagn scott <vagnsc...@gmail.com> wrote:> On 08/01/2011 01:41 PM, treydock wrote: > > > #includedir "/etc/sudoers.d" > > Maybe without the quotation marks? > > -- > vagn-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Iain Sutton
2011-Aug-03 06:07 UTC
Re: [Puppet Users] Re: Managing sudo via puppet using #includedir
To add a newline, put the closing double quote on a new line. content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet", becomes content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet ", On 2 August 2011 09:59, treydock <treydock@gmail.com> wrote:> Ok , so this was actually two problems... > > The first , can''t have quotes around the folder location in > #includedir... > > Second is the way I was populating those files... > > Here''s the sudo module definition... > > define sudo::directive ( > $ensure=present, > $content="", > $source="" > ) { > > # sudo skipping file names that contain a "." > $dname = regsubst($name, ''\.'', ''-'', ''G'') > > file {"/etc/sudoers.d/${dname}": > ensure => $ensure, > owner => root, > group => root, > mode => 0440, > content => $content ? { > "" => undef, > default => $content, > }, > source => $source ? { > "" => undef, > default => $source, > }, > require => Package["sudo"], > } > > } > > The "content" method doesn''t work, or at least not in the way I''ve > implemented it... > > So this doesn''t work... > > sudo::directive { "zabbix-puppet": > ensure => present, > content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/ > start_puppet", > #source => "puppet:///files/zabbix_sudocmd", > } > > > And this works... > > sudo::directive { "zabbix-puppet": > ensure => present, > #content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/ > start_puppet", > source => "puppet:///files/zabbix_sudocmd", > } > > > The file "zabbix_sudocmd" contains the same text as the "Content" > line, however it seems to not add a necessary new line character, as > this is the debug output from puppet when I change from "source" to > "content"... > > debug: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/ > File[/etc/sudoers.d/zabbix-puppet]/content: Executing ''diff -u /etc/ > sudoers.d/zabbix-puppet /tmp/puppet-file20110801-18801-1wfv1td-0'' > --- /etc/sudoers.d/zabbix-puppet 2011-08-01 18:45:16.248138294 -0500 > +++ /tmp/puppet-file20110801-18801-1wfv1td-0 2011-08-01 > 18:53:53.566133754 -0500 > @@ -1 +1 @@ > -zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet > +zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet > \ No newline at end of file > debug: file_bucket_file supports formats: b64_zlib_yaml marshal pson > raw yaml; using yaml > info: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/ > File[/etc/sudoers.d/zabbix-puppet]: Filebucketed /etc/sudoers.d/zabbix- > puppet to main with sum 2ecb3670db9e458970153bf00d64b325 > notice: /Stage[main]/Role_zabbix_client/Sudo::Directive[zabbix-puppet]/ > File[/etc/sudoers.d/zabbix-puppet]/content: content changed ''{md5} > 2ecb3670db9e458970153bf00d64b325'' to ''{md5} > 348da8bc5d9eacaf6334b092d95001eb'' > > > Notice the "No newline at end of file"... > > I can use "content" if I add a "\n" to the end of the line, which > doesn''t seem like it should be necessary, but it works. > > Thanks!! > - Trey > > > On Aug 1, 6:35 pm, vagn scott <vagnsc...@gmail.com> wrote: >> On 08/01/2011 01:41 PM, treydock wrote: >> >> > #includedir "/etc/sudoers.d" >> >> Maybe without the quotation marks? >> >> -- >> vagn > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan Carley
2011-Aug-03 09:08 UTC
Re: [Puppet Users] Re: Managing sudo via puppet using #includedir
On 3 August 2011 07:07, Iain Sutton <iainsutton@gmail.com> wrote:> To add a newline, put the closing double quote on a new line. > > content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet", > > becomes > > content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet > ", >Or, cleaner IMHO: content => "zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet\n", -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.