Puppet module to manage beuser sudo wrapper
This module is for Ericsson internal use. It installs the ''beuser'' wrapper for sudo used by Service Desk. ''beuser'' is an alternative for su, which allows changing active uid. The restriction is that you can only ''su'' to users with a uid > 100. The idea is to allow Service Desk work-force to ''su'' towards others user-ids they are supporting. However, they are not supposed to get administrative access on the systems themselves.
Note, that when you allow ''beuser'' to be executed by non-admins, whether by sudo (preferred) or setuid, you must make sure that the admins on the system have no sudo entries which allow command invocation without password. Otherwise users can use ''beuser'' to aquire an account of an admin and then use the unrestricted commands for them.
The module needs to package beuser (or what it's configured to) available on a installation source.
Ensure package installation
- Default: 'present'
Name of package to be installed
- Default: 'beuser'
Path to adminfile used on Solaris
- Default: undef
Name of package provider
- Default: undef (OS default)
Source of package file. Used with provider 'sun'
- Default: undef
Any platform with a beuser package
For Solaris it is recommended to use the osfamily fact in hiera.yaml and have Solaris.yaml include:
--- beuser::source: '/net/nfsserv1/beuser-1.0.pkg' beuser::adminfile: '/net/nfsserv1/beuser-adminfile'