diff --git a/manifests/conf.pp b/manifests/conf.pp index 9f3248e..54c4fa4 100644 --- a/manifests/conf.pp +++ b/manifests/conf.pp @@ -88,12 +88,6 @@ # replace whitespace in file name $cur_file_real = regsubst($cur_file, '\s+', '_', 'G') - if $facts['os']['family'] == 'RedHat' { - if (versioncmp($facts['sudoversion'], '1.7.2p1') < 0) { - warning("Found sudo with version ${facts['sudoversion']}, but at least version 1.7.2p1 is required!") - } - } - if $content != undef { if $content =~ Array { $lines = join($content, "\n") diff --git a/manifests/params.pp b/manifests/params.pp index 68950bf..b20ef6b 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -15,15 +15,8 @@ $secure_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin:/snap/bin' } default: { - if (versioncmp($facts['os']['release']['major'], '7') >= 0) or - ($facts['os']['release']['major'] =~ /\/sid/) or - ($facts['os']['release']['major'] =~ /Kali/) { - $content_template = "${content_base}sudoers.debian.erb" - $secure_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin' - } else { - $content_template = "${content_base}sudoers.olddebian.erb" - $secure_path = undef - } + $content_template = "${content_base}sudoers.debian.erb" + $secure_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin' } } $package = 'sudo' @@ -47,49 +40,23 @@ # in redhat sudo package is already compiled for ldap support $package_ldap = $package - # rhel 5.0 to 5.4 use sudo 1.6.9 which does not support - # includedir, so we have to make sure sudo 1.7 (comes with rhel - # 5.5) is installed. - $package_ensure = $facts['os']['release']['full'] ? { - /^5.[01234]$/ => 'latest', - default => 'present', - } + $package_ensure = 'present' $package_source = undef $package_admin_file = undef $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - case $facts['os']['release']['full'] { - /^5/: { - $content_template = "${content_base}sudoers.rhel5.erb" - $secure_path = undef - $wheel_config = 'absent' - } - /^6/: { - $content_template = "${content_base}sudoers.rhel6.erb" - $secure_path = '/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin' - $wheel_config = 'absent' - } - /^7/: { - $content_template = "${content_base}sudoers.rhel7.erb" - $secure_path = '/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin' - $wheel_config = 'password' - } - /^8/: { - $content_template = "${content_base}sudoers.rhel8.erb" - $secure_path = '/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin' - $wheel_config = 'password' - } - /^9/: { - $content_template = "${content_base}sudoers.rhel9.erb" - $secure_path = '/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin' - $wheel_config = 'password' + $content_template = "${content_base}sudoers.rhel.erb" + + case [$facts['os']['name'], $facts['os']['release']['major']] { + ['Amazon', '2023']: { + $secure_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin:/var/lib/snapd/snap/bin' } default: { - $content_template = "${content_base}sudoers.rhel9.erb" - $secure_path = '/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin' - $wheel_config = 'password' + $secure_path = '/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin' } } + + $wheel_config = 'password' $config_file_group = 'root' $config_dir_keepme = false $package_provider = undef @@ -204,11 +171,7 @@ $defaults = {} } 'OpenBSD': { - if (versioncmp($facts['kernelversion'], '5.8') < 0) { - $package = undef - } else { - $package = 'sudo' - } + $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = undef @@ -290,34 +253,6 @@ $wheel_config = 'absent' $defaults = {} } - 'Amazon': { - $package = 'sudo' - $package_ldap = $package - $package_ensure = 'present' - $package_source = undef - $package_admin_file = undef - $config_file = '/etc/sudoers' - $config_dir = '/etc/sudoers.d' - case $facts['os']['release']['full'] { - /^5/: { - $content_template = "${content_base}sudoers.rhel5.erb" - $secure_path = undef - } - /^6/: { - $content_template = "${content_base}sudoers.rhel6.erb" - $secure_path = '/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin' - } - default: { - $content_template = "${content_base}sudoers.rhel6.erb" - $secure_path = '/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin' - } - } - $config_file_group = 'root' - $config_dir_keepme = false - $package_provider = undef - $wheel_config = 'absent' - $defaults = {} - } default: { fail("Unsupported platform: ${facts['os']['family']}/${facts['os']['name']}") } diff --git a/spec/classes/sudo_spec.rb b/spec/classes/sudo_spec.rb index ef7236f..585ac71 100644 --- a/spec/classes/sudo_spec.rb +++ b/spec/classes/sudo_spec.rb @@ -247,36 +247,6 @@ end end - describe 'on RedHat 5.4' do - let :facts do - { - os: { - 'family' => 'RedHat', - 'name' => 'RedHat', - 'release' => { - 'full' => '5.4', - 'major' => '5', - }, - }, - puppetversion: '3.7.0' - } - end - - it do - if params == {} - is_expected.to contain_class('sudo::package').with( - 'package' => 'sudo', - 'package_ensure' => 'latest' - ) - else - is_expected.to contain_class('sudo::package').with( - 'package' => 'sudo', - 'package_ensure' => param_hash[:package_ensure] - ) - end - end - end - describe 'on supported osfamily: AIX' do let :facts do { diff --git a/templates/sudoers.olddebian.erb b/templates/sudoers.olddebian.erb deleted file mode 100644 index 26cb02b..0000000 --- a/templates/sudoers.olddebian.erb +++ /dev/null @@ -1,109 +0,0 @@ -# file managed by puppet (unless config_file_replace=false) -# -## sudoers file. -## -## This file MUST be edited with the 'visudo' command as root. -## Failure to use 'visudo' may result in syntax or file permission errors -## that prevent sudo from running. -## -## See the sudoers man page for the details on how to write a sudoers file. -## - -## -## Host alias specification -## -## Groups of machines. These may include host names (optionally with wildcards), -## IP addresses, network numbers or netgroups. -# Host_Alias WEBSERVERS = www1, www2, www3 - -## -## User alias specification -## -## Groups of users. These may consist of user names, uids, Unix groups, -## or netgroups. -# User_Alias ADMINS = millert, dowdy, mikef - -## -## Cmnd alias specification -## -## Groups of commands. Often used to group related commands together. -# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ -# /usr/bin/pkill, /usr/bin/top - -## -## Defaults specification -## -## You may wish to keep some of the following environment variables -## when running commands via sudo. -## -## Locale settings -Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" -## -## Run X applications through sudo; HOME is used to find the -## .Xauthority file. Note that other programs use HOME to find -## configuration files and this may lead to privilege escalation! -# Defaults env_keep += "HOME" -## -## X11 resource path settings -Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" -## -## Desktop path settings -# Defaults env_keep += "QTDIR KDEDIR" -## -## Allow sudo-run commands to inherit the callers' ConsoleKit session -# Defaults env_keep += "XDG_SESSION_COOKIE" -## -## Uncomment to enable special input methods. Care should be taken as -## this may allow users to subvert the command being run via sudo. -# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" -## -## Uncomment to enable logging of a command's output, except for -## sudoreplay and reboot. Use sudoreplay to play back logged sessions. -# Defaults log_output -# Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output -# Defaults!/sbin/reboot !log_output - -<% if @use_sudoreplay %> -Defaults log_output -Defaults!/usr/bin/sudoreplay !log_output -<% if @sudoreplay_discard %> -<% @sudoreplay_discard.each do |command| -%> -Defaults!<%= command %> !log_output -<% end -%> -<% end -%> -<% end -%> - - -## -## Runas alias specification -## - -## -## User privilege specification -## -root ALL=(ALL) ALL - -## Uncomment to allow members of group wheel to execute any command -<%- if @wheel_config != 'password' %># <% end -%> -%wheel ALL=(ALL) ALL - -## Same thing without a password -<%- if @wheel_config != 'nopassword' %># <% end -%> -%wheel ALL=(ALL) NOPASSWD: ALL - -## Uncomment to allow members of group sudo to execute any command -# %sudo ALL=(ALL) ALL - -## Uncomment to allow any user to run sudo if they know the password -## of the user they are running the command as (root by default). -# Defaults targetpw # Ask for the password of the target user -# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' - -## Read drop-in files -## (the '#' here does not indicate a comment) -#includedir <%= @config_dir %> -<% @extra_include_dirs.each do |include_dir| -%> -#includedir <%= include_dir %> -<% end if @extra_include_dirs -%> -<%= scope.call_function('sudo::defaults', @defaults) -%> diff --git a/templates/sudoers.rhel8.erb b/templates/sudoers.rhel.erb similarity index 100% rename from templates/sudoers.rhel8.erb rename to templates/sudoers.rhel.erb diff --git a/templates/sudoers.rhel5.erb b/templates/sudoers.rhel5.erb deleted file mode 100644 index d7da2c6..0000000 --- a/templates/sudoers.rhel5.erb +++ /dev/null @@ -1,100 +0,0 @@ -# file managed by puppet (unless config_file_replace=false) -# -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhap using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -#Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -#Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -#Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig - -## Updating the locate database -#Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -#Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -#Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -#Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -#Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# Refuse to run if unable to disable echo on the tty. This setting should also be -# changed in order to be able to use sudo without a tty. See requiretty above. -# -Defaults !visiblepw - -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR \ - LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ - LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ - LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ - LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ - _XKB_CHARSET XAUTHORITY" - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -<%- if @wheel_config != 'password' %># <% end -%> -%wheel ALL=(ALL) ALL - -## Same thing without a password -<%- if @wheel_config != 'nopassword' %># <% end -%> -%wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now -#includedir <%= @config_dir %> -<% @extra_include_dirs.each do |include_dir| -%> -#includedir <%= include_dir %> -<% end if @extra_include_dirs -%> -<%= scope.call_function('sudo::defaults', @defaults) -%> diff --git a/templates/sudoers.rhel6.erb b/templates/sudoers.rhel6.erb deleted file mode 100644 index 6b31d04..0000000 --- a/templates/sudoers.rhel6.erb +++ /dev/null @@ -1,126 +0,0 @@ -# file managed by puppet (unless config_file_replace=false) -# -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# Refuse to run if unable to disable echo on the tty. This setting should also be -# changed in order to be able to use sudo without a tty. See requiretty above. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. -# - -Defaults always_set_home - -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -<% if @use_sudoreplay %> -Defaults log_output -Defaults!/usr/bin/sudoreplay !log_output -<% if @sudoreplay_discard %> -<% @sudoreplay_discard.each do |command| -%> -Defaults!<%= command %> !log_output -<% end -%> -<% end -%> -<% end -%> - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = <%= @secure_path %> - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -<%- if @wheel_config != 'password' %># <% end -%> -%wheel ALL=(ALL) ALL - -## Same thing without a password -<%- if @wheel_config != 'nopassword' %># <% end -%> -%wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files -#includedir <%= @config_dir %> -<% @extra_include_dirs.each do |include_dir| -%> -#includedir <%= include_dir %> -<% end if @extra_include_dirs -%> -<%= scope.call_function('sudo::defaults', @defaults) -%> diff --git a/templates/sudoers.rhel7.erb b/templates/sudoers.rhel7.erb deleted file mode 100644 index e5042ec..0000000 --- a/templates/sudoers.rhel7.erb +++ /dev/null @@ -1,137 +0,0 @@ -# file managed by puppet (unless config_file_replace=false) -# -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# Refuse to run if unable to disable echo on the tty. This setting should also be -# changed in order to be able to use sudo without a tty. See requiretty above. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the fo -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -<% if @use_sudoreplay %> -Defaults log_output -Defaults!/usr/bin/sudoreplay !log_output -<% if @sudoreplay_discard %> -<% @sudoreplay_discard.each do |command| -%> -Defaults!<%= command %> !log_output -<% end -%> -<% end -%> -<% end -%> - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = <%= @secure_path %> - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -<%- if @wheel_config != 'password' %># <% end -%> -%wheel ALL=(ALL) ALL - -## Same thing without a password -<%- if @wheel_config != 'nopassword' %># <% end -%> -%wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir <%= @config_dir %> -<% @extra_include_dirs.each do |include_dir| -%> -#includedir <%= include_dir %> -<% end if @extra_include_dirs -%> -<%= scope.call_function('sudo::defaults', @defaults) -%> diff --git a/templates/sudoers.rhel9.erb b/templates/sudoers.rhel9.erb deleted file mode 100644 index 266d936..0000000 --- a/templates/sudoers.rhel9.erb +++ /dev/null @@ -1,137 +0,0 @@ -# file managed by puppet (unless config_file_replace=false) -# -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -<% if @use_sudoreplay %> -Defaults log_output -Defaults!/usr/bin/sudoreplay !log_output -<% if @sudoreplay_discard %> -<% @sudoreplay_discard.each do |command| -%> -Defaults!<%= command %> !log_output -<% end -%> -<% end -%> -<% end -%> - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = <%= @secure_path %> - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -<%- if @wheel_config != 'password' %># <% end -%> -%wheel ALL=(ALL) ALL - -## Same thing without a password -<%- if @wheel_config != 'nopassword' %># <% end -%> -%wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir <%= @config_dir %> -<% @extra_include_dirs.each do |include_dir| -%> -#includedir <%= include_dir %> -<% end if @extra_include_dirs -%> -<%= scope.call_function('sudo::defaults', @defaults) -%>