Skip to content

Commit

Permalink
check one file for syntax and rm params fixes saz#223
Browse files Browse the repository at this point in the history
Before that all sudoers files were checked for
syntax and when an application would have
created a suders file with a permission/syntax
error the file managed by puppet would be deleted.
But the file managed by puppet would not have a
syntax error.
This could also occur if an application creates
a file with permission 0400 instead of 0440 which
is demanded by visudo.
Removed delete_on_error: Now puppet will not
create the file if it has a syntax error by
default. Before that, syntax / permission
errors in other files would also lead to
deletion or error which makes no sense.
Removed validate_single: Previously all
files were always validated no matter which
value validate_single had. This makes no
sense, so remove parameter.
Removed conf parameter sudo_syntax_path as
the exec that used it was removed. Validation
is now only via validate_cmd of the puppet
file resource.
  • Loading branch information
tdlc authored and Ludwig Cornelius committed May 21, 2024
1 parent 913cb9c commit 4e1551e
Show file tree
Hide file tree
Showing 3 changed files with 1 addition and 70 deletions.
32 changes: 0 additions & 32 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,6 @@ The following parameters are available in the `sudo` class:
* [`content_string`](#-sudo--content_string)
* [`secure_path`](#-sudo--secure_path)
* [`ldap_enable`](#-sudo--ldap_enable)
* [`delete_on_error`](#-sudo--delete_on_error)
* [`validate_single`](#-sudo--validate_single)
* [`config_dir_keepme`](#-sudo--config_dir_keepme)
* [`use_sudoreplay`](#-sudo--use_sudoreplay)
* [`wheel_config`](#-sudo--wheel_config)
Expand Down Expand Up @@ -263,27 +261,6 @@ Enable ldap support on the package

Default value: `false`

##### <a name="-sudo--delete_on_error"></a>`delete_on_error`

Data type: `Boolean`

True if you want that the configuration is deleted on an error
during a complete visudo -c run. If false it will just return
an error and will add a comment to the sudoers configuration so
that the resource will be checked at the following run.

Default value: `true`

##### <a name="-sudo--validate_single"></a>`validate_single`

Data type: `Boolean`

Do a validate on the "single" file in the sudoers.d directory.
If the validate fail the file will not be saved or changed
if a file already exist.

Default value: `false`

##### <a name="-sudo--config_dir_keepme"></a>`config_dir_keepme`

Data type: `Boolean`
Expand Down Expand Up @@ -429,7 +406,6 @@ The following parameters are available in the `sudo::conf` defined type:
* [`template`](#-sudo--conf--template)
* [`sudo_config_dir`](#-sudo--conf--sudo_config_dir)
* [`sudo_file_name`](#-sudo--conf--sudo_file_name)
* [`sudo_syntax_path`](#-sudo--conf--sudo_syntax_path)

##### <a name="-sudo--conf--ensure"></a>`ensure`

Expand Down Expand Up @@ -489,11 +465,3 @@ Set a custom file name for the snippet

Default value: `undef`

##### <a name="-sudo--conf--sudo_syntax_path"></a>`sudo_syntax_path`

Data type: `Any`

Path to use for executing the sudo syntax check

Default value: `'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'`

26 changes: 1 addition & 25 deletions manifests/conf.pp
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,6 @@
# @param sudo_file_name
# Set a custom file name for the snippet
#
# @param sudo_syntax_path
# Path to use for executing the sudo syntax check
#
# @example
# sudo::conf { 'admins':
# source => 'puppet:///files/etc/sudoers.d/admins',
Expand All @@ -42,7 +39,6 @@
$template = undef,
$sudo_config_dir = undef,
$sudo_file_name = undef,
$sudo_syntax_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
) {
include sudo

Expand Down Expand Up @@ -108,22 +104,8 @@
}

if $ensure == 'present' {
if $sudo::validate_single {
$validate_cmd_real = 'visudo -c -f %'
} else {
$validate_cmd_real = undef
}
if $sudo::delete_on_error {
$notify_real = Exec["sudo-syntax-check for file ${cur_file}"]
$delete_cmd = "( rm -f '${cur_file_real}' && exit 1)"
} else {
$notify_real = Exec["sudo-syntax-check for file ${cur_file}"]
$errormsg = "Error on global-syntax-check with file ${cur_file_real}"
$delete_cmd = "( echo '${errormsg}' && echo '#${errormsg}' >>${cur_file_real} && exit 1)"
}
$validate_cmd_real = 'visudo -c -f %'
} else {
$delete_cmd = ''
$notify_real = undef
$validate_cmd_real = undef
}

Expand All @@ -135,14 +117,8 @@
mode => $sudo::params::config_file_mode,
source => $source,
content => $content_real,
notify => $notify_real,
require => File[$sudo_config_dir_real],
validate_cmd => $validate_cmd_real,
}

exec { "sudo-syntax-check for file ${cur_file}":
command => "visudo -c || ${delete_cmd}",
refreshonly => true,
path => $sudo_syntax_path,
}
}
13 changes: 0 additions & 13 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -83,17 +83,6 @@
# @param ldap_enable
# Enable ldap support on the package
#
# @param delete_on_error
# True if you want that the configuration is deleted on an error
# during a complete visudo -c run. If false it will just return
# an error and will add a comment to the sudoers configuration so
# that the resource will be checked at the following run.
#
# @param validate_single
# Do a validate on the "single" file in the sudoers.d directory.
# If the validate fail the file will not be saved or changed
# if a file already exist.
#
# @param config_dir_keepme
# Add a .keep-me file to the config dir
#
Expand Down Expand Up @@ -137,8 +126,6 @@
Optional[String[1]] $content_string = undef,
Optional[String[1]] $secure_path = $sudo::params::secure_path,
Boolean $ldap_enable = false,
Boolean $delete_on_error = true,
Boolean $validate_single = false,
Boolean $config_dir_keepme = $sudo::params::config_dir_keepme,
Boolean $use_sudoreplay = false,
Enum['absent','password','nopassword'] $wheel_config = $sudo::params::wheel_config,
Expand Down

0 comments on commit 4e1551e

Please sign in to comment.