diff --git a/manifests/allow.pp b/manifests/allow.pp index 932d47d..25900a6 100644 --- a/manifests/allow.pp +++ b/manifests/allow.pp @@ -42,10 +42,10 @@ # } # class sudo::allow ( - Array $add_users = [], - Array $add_groups = [], - Optional[Array] $replace_users = undef, - Optional[Array] $replace_groups = undef + Array[String[1]] $add_users = [], + Array[String[1]] $add_groups = [], + Optional[Array[String[1]]] $replace_users = undef, + Optional[Array[String[1]]] $replace_groups = undef ) { if $replace_users != undef { $users = $replace_users @@ -59,6 +59,6 @@ } sudo::conf { 'sudo_users_groups': - content => template("${module_name}/users_groups.erb"), + content => epp("${module_name}/users_groups.epp", { users => $users, groups => $groups }), } } diff --git a/manifests/init.pp b/manifests/init.pp index ec7dfd3..4504cae 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -135,7 +135,7 @@ String[1] $config_file_mode = $sudo::params::config_file_mode, String[1] $config_dir = $sudo::params::config_dir, String[1] $config_dir_mode = $sudo::params::config_dir_mode, - Optional[Array[String[1]]] $extra_include_dirs = undef, + Array[String[1]] $extra_include_dirs = [], Optional[String[1]] $content = undef, Optional[String[1]] $content_template = undef, Optional[String[1]] $content_string = undef, @@ -206,7 +206,15 @@ } elsif $content_template { $content_real = template($content_template) } else { - $content_real = template($sudo::params::content_template) + $content_real = epp($sudo::params::content_template, { + config_dir => $config_dir, + defaults => $defaults, + extra_include_dirs => $extra_include_dirs, + sudoreplay_discard => $sudoreplay_discard, + use_sudoreplay => $use_sudoreplay, + wheel_config => $wheel_config, + secure_path => $secure_path, + }) } } diff --git a/manifests/params.pp b/manifests/params.pp index b20ef6b..ba9cecb 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -11,11 +11,11 @@ 'Debian': { case $facts['os']['name'] { 'Ubuntu': { - $content_template = "${content_base}sudoers.ubuntu.erb" + $content_template = "${content_base}sudoers.ubuntu.epp" $secure_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin:/snap/bin' } default: { - $content_template = "${content_base}sudoers.debian.erb" + $content_template = "${content_base}sudoers.debian.epp" $secure_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin' } } @@ -45,7 +45,7 @@ $package_admin_file = undef $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content_template = "${content_base}sudoers.rhel.erb" + $content_template = "${content_base}sudoers.rhel.epp" case [$facts['os']['name'], $facts['os']['release']['major']] { ['Amazon', '2023']: { @@ -72,7 +72,7 @@ $package_admin_file = undef $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content_template = "${content_base}sudoers.suse.erb" + $content_template = "${content_base}sudoers.suse.epp" $secure_path = '/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin' $config_file_group = 'root' $config_dir_keepme = false @@ -90,7 +90,7 @@ $package_admin_file = undef $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content_template = "${content_base}sudoers.omnios.erb" + $content_template = "${content_base}sudoers.omnios.epp" $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false @@ -105,7 +105,7 @@ $package_admin_file = undef $config_file = '/opt/local/etc/sudoers' $config_dir = '/opt/local/etc/sudoers.d' - $content_template = "${content_base}sudoers.smartos.erb" + $content_template = "${content_base}sudoers.smartos.epp" $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false @@ -122,7 +122,7 @@ $package_admin_file = undef $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content_template = "${content_base}sudoers.solaris.erb" + $content_template = "${content_base}sudoers.solaris.epp" $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false @@ -137,7 +137,7 @@ $package_admin_file = '/var/sadm/install/admin/puppet' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content_template = "${content_base}sudoers.solaris.erb" + $content_template = "${content_base}sudoers.solaris.epp" $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false @@ -162,7 +162,7 @@ $package_admin_file = undef $config_file = '/usr/local/etc/sudoers' $config_dir = '/usr/local/etc/sudoers.d' - $content_template = "${content_base}sudoers.freebsd.erb" + $content_template = "${content_base}sudoers.freebsd.epp" $secure_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin' $config_file_group = 'wheel' $config_dir_keepme = true @@ -178,7 +178,7 @@ $package_admin_file = undef $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content_template = "${content_base}sudoers.openbsd.erb" + $content_template = "${content_base}sudoers.openbsd.epp" $config_file_group = 'wheel' $config_dir_keepme = false $package_provider = undef @@ -193,7 +193,7 @@ $package_admin_file = undef $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content_template = "${content_base}sudoers.aix.erb" + $content_template = "${content_base}sudoers.aix.epp" $secure_path = undef $config_file_group = 'system' $config_dir_keepme = false @@ -209,7 +209,7 @@ $package_admin_file = undef $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content_template = "${content_base}sudoers.darwin.erb" + $content_template = "${content_base}sudoers.darwin.epp" $secure_path = undef $config_file_group = 'wheel' $config_dir_keepme = false @@ -229,7 +229,7 @@ $package_admin_file = undef $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content_template = "${content_base}sudoers.gentoo.erb" + $content_template = "${content_base}sudoers.gentoo.epp" $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false @@ -245,7 +245,7 @@ $package_admin_file = undef $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' - $content_template = "${content_base}sudoers.archlinux.erb" + $content_template = "${content_base}sudoers.archlinux.epp" $secure_path = undef $config_file_group = 'root' $config_dir_keepme = false diff --git a/templates/sudoers.aix.epp b/templates/sudoers.aix.epp new file mode 100644 index 0000000..77b8b8b --- /dev/null +++ b/templates/sudoers.aix.epp @@ -0,0 +1,116 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!/sbin/reboot !log_output + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) ALL + +## Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files +## (the '#' here does not indicate a comment) +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.archlinux.epp b/templates/sudoers.archlinux.epp new file mode 100644 index 0000000..3ab17f0 --- /dev/null +++ b/templates/sudoers.archlinux.epp @@ -0,0 +1,115 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!/sbin/reboot !log_output + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) ALL + +## Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files +## (the '#' here does not indicate a comment) +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.darwin.epp b/templates/sudoers.darwin.epp new file mode 100644 index 0000000..0874dc1 --- /dev/null +++ b/templates/sudoers.darwin.epp @@ -0,0 +1,72 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +# sudoers file. +# +# This file MUST be edited with the 'visudo' command as root. +# Failure to use 'visudo' may result in syntax or file permission errors +# that prevent sudo from running. +# +# See the sudoers man page for the details on how to write a sudoers file. +# + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# Defaults specification +Defaults env_keep += "BLOCKSIZE" +Defaults env_keep += "COLORFGBG COLORTERM" +Defaults env_keep += "__CF_USER_TEXT_ENCODING" +Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" +Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" +Defaults env_keep += "LINES COLUMNS" +Defaults env_keep += "LSCOLORS" +Defaults env_keep += "SSH_AUTH_SOCK" +Defaults env_keep += "TZ" +Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY" +Defaults env_keep += "EDITOR VISUAL" +Defaults env_keep += "HOME MAIL" + + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + +# Runas alias specification + +# User privilege specification +root ALL=(ALL) ALL +%admin ALL=(ALL) ALL + +# Uncomment to allow people in group wheel to run all commands +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) ALL + +# Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: ALL + +# Samples +# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom +# %users localhost=/sbin/shutdown -h now +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.debian.epp b/templates/sudoers.debian.epp new file mode 100644 index 0000000..3f8ddfc --- /dev/null +++ b/templates/sudoers.debian.epp @@ -0,0 +1,38 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $secure_path, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +Defaults secure_path="<%= $secure_path %>" + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + + + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL + +# See sudoers(5) for more information on "#include" directives: + +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.freebsd.epp b/templates/sudoers.freebsd.epp new file mode 100644 index 0000000..3e9835b --- /dev/null +++ b/templates/sudoers.freebsd.epp @@ -0,0 +1,132 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $secure_path, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## Uncomment if needed to preserve environmental variables related to the +## FreeBSD pkg utility and fetch. +# Defaults env_keep += "PKG_CACHEDIR PKG_DBDIR FTP_PASSIVE_MODE" +## +## Additionally uncomment if needed to preserve environmental variables +## related to portupgrade +# Defaults env_keep += "PORTSDIR PORTS_INDEX PORTS_DBDIR PACKAGES PKGTOOLS_CONF" +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to use a hard-coded PATH instead of the user's to find commands +# Defaults secure_path="<%= $secure_path %>" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/local/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) ALL + +## Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files +## (the '#' here does not indicate a comment) +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.gentoo.epp b/templates/sudoers.gentoo.epp new file mode 100644 index 0000000..9d7c904 --- /dev/null +++ b/templates/sudoers.gentoo.epp @@ -0,0 +1,117 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) ALL + +## Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files +## (the '#' here does not indicate a comment) +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.omnios.epp b/templates/sudoers.omnios.epp new file mode 100644 index 0000000..957cbe3 --- /dev/null +++ b/templates/sudoers.omnios.epp @@ -0,0 +1,116 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!/sbin/reboot !log_output + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) ALL +## Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files +## (the '#' here does not indicate a comment) +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.openbsd.epp b/templates/sudoers.openbsd.epp new file mode 100644 index 0000000..949bc90 --- /dev/null +++ b/templates/sudoers.openbsd.epp @@ -0,0 +1,78 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +# sudoers file. +# +# This file MUST be edited with the 'visudo' command as root. +# Failure to use 'visudo' may result in syntax or file permission errors +# that prevent sudo from running. +# +# See the sudoers man page for the details on how to write a sudoers file. +# + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# Defaults specification +Defaults env_keep +="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK" + +# Non-exhaustive list of variables needed to build release(8) and ports(7) +Defaults:%wsrc env_keep +="DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF" +Defaults:%wsrc env_keep +="MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR" +Defaults:%wsrc env_keep +="PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY" +Defaults:%wsrc env_keep +="SUBPACKAGE WRKOBJDIR SUDO_PORT_V1" + +# Uncomment to preserve the default proxy host variable +#Defaults env_keep +="ftp_proxy http_proxy" + +# Uncomment to disable the lecture the first time you run sudo +#Defaults !lecture + +# Uncomment to preserve the environment for users in group wheel +#Defaults:%wheel !env_reset + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + +# Runas alias specification + +# User privilege specification +root ALL=(ALL) SETENV: ALL + +# Uncomment to allow people in group wheel to run all commands +# and set environment variables. +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) SETENV: ALL + +# Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: SETENV: ALL + +# Samples +# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom +# %users localhost=/sbin/shutdown -h now + +# Read drop-in files +# the # does not mark the line as a comment +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.rhel.epp b/templates/sudoers.rhel.epp new file mode 100644 index 0000000..4b2a292 --- /dev/null +++ b/templates/sudoers.rhel.epp @@ -0,0 +1,146 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $secure_path, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = <%= $secure_path %> + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) ALL + +## Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.smartos.epp b/templates/sudoers.smartos.epp new file mode 100644 index 0000000..5ac4f06 --- /dev/null +++ b/templates/sudoers.smartos.epp @@ -0,0 +1,109 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!/sbin/reboot !log_output + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) ALL + +## Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files +## (the '#' here does not indicate a comment) +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.solaris.epp b/templates/sudoers.solaris.epp new file mode 100644 index 0000000..45186dc --- /dev/null +++ b/templates/sudoers.solaris.epp @@ -0,0 +1,115 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!/sbin/reboot !log_output + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + +## Runas alias specification +## + +## +## User privilege specification +## +#root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) ALL + +## Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files +## (the '#' here does not indicate a comment) +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.suse.epp b/templates/sudoers.suse.epp new file mode 100644 index 0000000..dcb9a66 --- /dev/null +++ b/templates/sudoers.suse.epp @@ -0,0 +1,110 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $secure_path, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top + +## +## Defaults specification +## +## Prevent environment variables from influencing programs in an +## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) +Defaults always_set_home +## Path that will be used for every command run from sudo +Defaults secure_path="<%= $secure_path %>" +Defaults env_reset +## Change env_reset to !env_reset in previous line to keep all environment variables +## Following list will no longer be necessary after this change + +Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" +## Comment out the preceding line and uncomment the following one if you need +## to use special input methods. This may allow users to compromise the root +## account if they are allowed to run commands without authentication. +#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" + +## Do not insult users when they enter an incorrect password. +Defaults !insults + +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/sbin/reboot !log_output + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly +## installed system. When configuring sudo, delete the two +## following lines: +#Defaults targetpw # ask for the password of the target user i.e. root +#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +<%- if $wheel_config != 'password' { %># <% } -%> +%wheel ALL=(ALL) ALL + +## Same thing without a password +<%- if $wheel_config != 'nopassword' { %># <% } -%> +%wheel ALL=(ALL) NOPASSWD: ALL + +## Read drop-in files +## (the '#' here does not indicate a comment) +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/sudoers.ubuntu.epp b/templates/sudoers.ubuntu.epp new file mode 100644 index 0000000..ab6db86 --- /dev/null +++ b/templates/sudoers.ubuntu.epp @@ -0,0 +1,52 @@ +<%- | + $config_dir, + $defaults, + $extra_include_dirs, + $secure_path, + $sudoreplay_discard, + $use_sudoreplay, + $wheel_config, +| -%> +# file managed by puppet (unless config_file_replace=false) +# +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +Defaults secure_path="<%= $secure_path %>" + +<% if $use_sudoreplay { %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if $sudoreplay_discard { %> +<% $sudoreplay_discard.each |$command| { -%> +Defaults!<%= $command %> !log_output +<% } -%> +<% } -%> +<% } -%> + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# Members of the admin group may gain root privileges +%admin ALL=(ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL + +# See sudoers(5) for more information on "#include" directives: + +#includedir <%= $config_dir %> +<% $extra_include_dirs.each |$include_dir| { -%> +#includedir <%= $include_dir %> +<% } -%> +<%= sudo::defaults($defaults) -%> diff --git a/templates/users_groups.epp b/templates/users_groups.epp new file mode 100644 index 0000000..f2bc3f9 --- /dev/null +++ b/templates/users_groups.epp @@ -0,0 +1,13 @@ +<%- | + Array[String[1]] $groups, + Array[String[1]] $users, +| -%> +# This file is managed by Puppet. All changes will be reverted +# on the next Puppet run. Avoid making changes here. +<%# We can prevent excess newlines by using a special "-%" closing tag -%> +<% $users.each |$user| { -%> +<%= $user %> ALL=(ALL) ALL +<% } -%> +<% $groups.each |$group| { -%> +%<%= $group %> ALL=(ALL) ALL +<% } -%>