Forge Home

Modules

Resources

PuppetEcosystemPuppet CommunityUpdates

sudo

Manage sudoers
Project URLRSS FeedReport issues

303,924 downloads

293,137 latest version

4.6 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.3.0 (latest)
  • 1.2.0
  • 1.1.2
  • 1.1.1
  • 1.1.0
  • 1.0.1
  • 1.0.0
  • 0.2.2
  • 0.2.1
  • 0.2.0
  • 0.1.1
  • 0.1.0
released Mar 4th 2015
This version is compatible with:
  • , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'arnoudj-sudo', '1.3.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add arnoudj-sudo
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install arnoudj-sudo --version 1.3.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: security, sudo

Documentation

arnoudj/sudo — version 1.3.0 Mar 4th 2015

arnoudj/puppet-sudo

Build Status

Allow restricted root access for specified users. The name of the defined type must consist of only letters, numbers and underscores and should be unique. If the name has incorrect characters the defined type will fail. Sudoers entries realised with the sudo::sudoers defined type will be stored in "/etc/sudoers.d/[typename]".

This module expects that your OS/Distribution supports /etc/sudoers.d, which is true for Ubuntu 10.04 and up and RedHat 6 and up. If this is not the case for you, then you can overwrite the default sudoers file with your own using the sudoers_file parameter of the sudo class. And add the line:

#include /etc/sudoers.d

Parameters for class sudo

sudoers

Hash of sudoers entries, which will be created via sudo::sudoers.

manage_sudoersd

Boolean - should puppet clean /etc/sudoers.d/ of untracked files?

sudoers_file

Override the /etc/sudoers file with the file specified by this parameter.

Parameters for type sudo::sudoers

ensure

Controls the existence of the sudoers entry. Set this attribute to present to ensure the sudoers entry exists. Set it to absent to delete any computer records with this name Valid values are present, absent.

users

Array of users that are allowed to execute the command(s).

group

Group that is allowed to execute the command(s). Cannot be combined with 'users'.

hosts

Array of hosts that the command(s) can be executed on. Denying hosts using a bang/exclamation point may also be used.

cmnds

List of commands that the user can run.

runas

The user that the command may be run as.

cmnds

The commands which the user is allowed to run.

tags

A command may have zero or more tags associated with it. There are eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT.

defaults

Override some of the compiled in default values for sudo.

Example

A sudoers entry can be defined within a class or node definition:

sudo::sudoers { 'worlddomination':
  ensure   => 'present',
  comment  => 'World domination.',
  users    => ['pinky', 'brain'],
  hosts    => ['foo.lab', 'bar.lab'],
  runas    => ['root'],
  cmnds    => ['ALL'],
  tags     => ['NOPASSWD'],
  defaults => [ 'env_keep += "SSH_AUTH_SOCK"' ]
}

or via an ENC:

---
  classes:
    sudo:
      sudoers:
        worlddomination:
          ensure: present
          comment: "World Domination."
          users:
            - pinky
            - brain
          hosts:
            - foo.lab
            - bar.lab
          runas:
            - root
          cmnds:
            - ALL
          tags:
            - NOPASSWD
          defaults:
            - 'env_keep += "SSH_AUTH_SOCK"'

Run syntax, lint and unit tests

bundle exec rake test

Run beaker acceptance tests

bundle exec rspec spec/acceptance/

Contributors

Thanks to all contributors.