sudo
: Constructs a sudoers file based on configured aliases, defaults, and user specifications.
sudo::alias
: Adds an alias to /etc/sudoers. See the 'Aliases' section of sudoers (5) for information about aliases Use the alias definition: aliassudo::alias::cmnd
: Convenience definition for adding a cmnd alias.sudo::alias::host
: Convenience definition for adding a host alias.sudo::alias::runas
: Convenience definition for adding a runas alias.sudo::alias::user
: Convenience definition for adding a user alias.sudo::default_entry
: Adds an entry to the defaults section of /etc/sudoers in order to override runtime defaults. See the 'Defaults' section of sudoers(5) for morsudo::include_dir
: Add include directories to /etc/sudoerssudo::user_specification
: Add a user_spec entry to /etc/sudoers in order to determine which commands a user may run as the given user on the given host. See the 'User
sudo::update_runas_list
: This function is used to help mitigate CVE-2019-14287 for sudo version prior to 1.8.28. It will disallow userid/groupid of -1 if ALL or %A
Sudo::AliasType
: Matches the list of configuration items for which aliases can be set in the sudeors file.Sudo::DefType
: Matches the list configuration items for which defaults can be set in the sudoers file.
Constructs a sudoers file based on configured aliases, defaults, and user specifications.
The following parameters are available in the sudo
class:
Data type: Hash
sudo::user_specifications: simp_su: user_list: ['simp'] cmnd: ['/bin/su'] users_yum_update: user_list: - '%users' cmnd: - 'yum update' test_resource: user_list: ['%group'] cmnd: ['w'] runas: root passwd: true
Default value: {}
Data type: Array[Stdlib::Absolutepath]
an array of paths to include in the sudoers file
Default value: []
Data type: String
The ensure status of packages to be managed
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
Data type: Hash
Default value: {}
Data type: Hash
Default value: {}
Adds an alias to /etc/sudoers. See the 'Aliases' section of sudoers (5) for information about aliases
Use the alias definition: alias { 'user_alias': content => [ 'millert','mikef','dowdy' ], alias_type => 'user' }
User_Alias FULLTIMERS = millert, mikef, dowdy
The following parameters are available in the sudo::alias
defined type:
Data type: Array[String[1]]
The array of items that will be the content of this alias. For example: 'administrators', 'wheel'
Data type: Sudo::AliasType
The type of alias to create. One of 'user', 'runas', 'host' or 'cmnd'
Data type: Optional[String[1]]
Textual comment for this entry
Default value: undef
Data type: Integer
If desired, force the order of this entry relative to other entries. Usually not required.
Default value: 10
Convenience definition for adding a cmnd alias.
The following parameters are available in the sudo::alias::cmnd
defined type:
Data type: Array[String[1]]
A comma-separated list of commands that will comprise this alias. For example: ['/usr/sbin/shutdown', '/usr/sbin/reboot']
Data type: Optional[String[1]]
Textual comment for this entry.
Default value: undef
Data type: Integer
If desired, force the order of this entry relative to other entries. Usually not required.
Default value: 10
Convenience definition for adding a host alias.
The following parameters are available in the sudo::alias::host
defined type:
Data type: Array[String[1]]
A comma-separated list of hostnames or IP addresses that will comprise the alias. For example: ['1.2.3.4', '5.6.7.8'] or ['mail', 'www']
Data type: Optional[String[1]]
Textual comment for this entry
Default value: undef
Data type: Integer
If desired, force the order of this entry relative to other entries. Usually not required.
Default value: 12
Convenience definition for adding a runas alias.
The following parameters are available in the sudo::alias::runas
defined type:
Data type: Array[String[1]]
A comma-separated list of hostnames or IP addresses that will comprise the alias. For example: ['millert', 'mikef']
Data type: Optional[String[1]]
Textual comment for this entry
Default value: undef
Data type: Integer
If desired, force the order of this entry relative to other entries. Usually not required.
Default value: 14
Convenience definition for adding a user alias.
The following parameters are available in the sudo::alias::user
defined type:
Data type: Array[String[1]]
A comma-separated list of users that will comprise this alias. For example: ['millert', 'mikef']
Data type: Optional[String[1]]
Textual comment for this entry
Default value: undef
Data type: Integer
If desired, force the order of this entry relative to other entries. Usually not required.
Default value: 16
Adds an entry to the defaults section of /etc/sudoers in order to override runtime defaults. See the 'Defaults' section of sudoers(5) for more information.
Defaults requiretty, syslog=authpriv, !root_sudo, !umask, env_reset, env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"
Use the default_entry definition:
sudo::default_entry { '00_main':
content => [ 'requiretty',
'syslog=authpriv',
'!root_sudo',
'!umask',
'env_reset',
'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"' ]
}
The following parameters are available in the sudo::default_entry
defined type:
Data type: Array[String[1]]
The content of this entry.
Data type: Optional[String[1]]
The user, host, etc hash is the target of the content. Leave as undef to not specify a target.
Default value: undef
Data type: Sudo::DefType
May be one of:
- base => Global
- cmnd => Cmnd Entry
- host => Host Entry
- user => User Entry
- runas => Runas Entry
Default value: 'base'
Add include directories to /etc/sudoers
The following parameters are available in the sudo::include_dir
defined type:
Data type: Stdlib::Absolutepath
the directory to include in /etc/sudoers
Data type: Boolean
Default value: false
Add a user_spec entry to /etc/sudoers in order to determine which commands a user may run as the given user on the given host. See the 'User Specification' section of sudoers(5) for more information. Note that the 'Tag_Spec' entries have been explicitly noted below.
`simp, %simp_group user2-dev1=(root) PASSWD:EXEC:SETENV: /bin/su root, /bin/su - root`
Use the user_specification definition:
sudo::user_specification { 'default_simp':
user_list => [ 'simp', '%simp_group' ],
runas => 'root',
cmnd => [ '/bin/su root', '/bin/su - root' ]
}
The following parameters are available in the sudo::user_specification
defined type:
Data type: Array[String[1]]
Array of users or groups that should be able to execute a command. Groups must be preceded by %.
Data type: Array[String[1]]
Should be an array of commands you wan to run.
Data type: Array[Simplib::Hostname,1]
Array of hosts where the specified users should be able to execute a command.
Default value: [$facts['networking']['hostname'], $facts['networking']['fqdn']]
Data type: Variant[String[1],Array[String[1]]]
Can be an array of users that you need to be able to run the commands as. It will probably just be one user in most cases.
Default value: ['root']
Data type: Boolean
Set PASSWD in /etc/sudoers
Default value: true
Data type: Boolean
Set EXEC in /etc/sudoers
Default value: true
Data type: Boolean
Set SETENV in /etc/sudoers
Default value: true
Data type: Hash
Set additional options (such as SELinux role or type, date restrictions, or timeout)
Default value: {}
Type: Ruby 4.x API
This function is used to help mitigate CVE-2019-14287 for sudo version prior to 1.8.28. It will disallow userid/groupid of -1 if ALL or %ALL is used.
Note: Added even if !root is not present because it will skip over some auditing if #-1 is used.
Returns: Array[String]
An Array of users to add to a Runas_list in sudo that
appends not -1 if 'ALL' or '%ALL' are used to avoid
giving unintentional root access or skip auditing.
Data type: Array[String]
An array of users/groups to add to a Runas_list in sudo
Note: Added even if !root is not present because it will skip over some auditing if #-1 is used.
Returns: Array[String]
An Array of users to add to a Runas_list in sudo that
appends not -1 if 'ALL' or '%ALL' are used to avoid
giving unintentional root access or skip auditing.
Data type: String
A string of one user/group id to to Runas_list.
Matches the list of configuration items for which aliases can be set in the sudeors file.
Alias of Enum['user', 'runas', 'host', 'cmnd']
Matches the list configuration items for which defaults can be set in the sudoers file.
Alias of Enum['base', 'cmnd', 'host', 'user', 'runas']