Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What happened to includedirsudoers? #197

Closed
esalberg opened this issue Jul 24, 2017 · 8 comments
Closed

What happened to includedirsudoers? #197

esalberg opened this issue Jul 24, 2017 · 8 comments
Assignees
@saz

Comments

@esalberg
Copy link
Contributor

I ran into an issue where the Augeas lens for sudoers was failing on having entries with numbers, e.g.:

AB123 AB123SRVRS = (AB123USER) AB123STOP, AB123STRT

Those entries appear to be valid, at least per visudo - I was looking for the sudoers lens file to investigate further, when I noticed that the includedirsudoers code no longer appears to be part of the latest version of the module (we're running a bit behind).

On our legacy nodes, we use config_file_replace = false - however, we do need the sudoers.d directory included / added to the config so that we can start adding new entries in sudoers.d.

It looks like includedirsudoers was removed in this PR:
#191

However, the doc wasn't updated to explain how to use the new includedir parameters (if it's possible) to include dirs in a sudoers config file that isn't otherwise managed. The main doc still refers to includedirsudoers as a boolean option, even though it's no longer part of the code. I also don't see anything similar to the previous if $config_file_replace == false that called augeas before.

Is there a way to get the new code to add "#includedir /etc/sudoers.d" to an existing sudoers file with the new code? If not, would it be accepted if I submitted a PR to re-add that functionality?
@mdella
Copy link

mdella commented Jan 31, 2018

Just following up with this topic on January 31st (after the release of 5.0.0). This parameter is still listed in the documentation however all my puppet updates are failing now with the error:

Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Class[Sudo]: has no parameter named 'includedirsudoers' at /etc/puppetlabs/code/environments/production/manifests/sudoers.pp:2:3

In a CentOS7 environment, is this now considered deprecated?

@saz saz self-assigned this Feb 20, 2018
@saz
Copy link
Owner

saz commented Feb 21, 2018

This was introduced without further notice with ff55b7c#diff-60ae41fd0a31977447947f59940ee9a4

I'm sorry for the inconvenience. I'll check the documentation and will update it.
Easy way: drop includedirsudoers from your setup and it should be working as expected.

Don't know how I've missed that big change. 😞

@jameskirsop
Copy link

Not to hijack this thread too much, but I'm a bit confused about how this should or shouldn't be working.

Given the below:

        sudo::conf { 'sudoers':
            priority => 10,
            content  => "%sudoers ALL=(ALL) NOPASSWD: ALL",
        }

A file is created (on CentOS7) in /etc/sudoers.d/ but the template and options still seem to indicate that this file is ignored by default. Would it not make sense to make sure that this folder is read for drop in files like the one created for the above?

Relevant except from the RHEL7 template file below but the same commented line for the config_dir is found through all others that I checked:

#includedir <%= @config_dir %>
<% @extra_include_dirs.each do |include_dir| -%>
#includedir <%= include_dir %>
<% end if @extra_include_dirs -%>

@ubellavance
Copy link

@jameskirsop this # is not a comment in this case. I know it's confusing. By the way, the new default is to have members of the wheel group to be full sudoers so your setting may be redundant.

@jameskirsop
Copy link

@ubellavance, that's very confusing!!

I'll have to work out why my test users in the group aren't able to elevate with sudo then!! I thought I'd found something, but obviously not!!

@ubellavance
Copy link

No worries, everyone gets bitten once. But this restriction comes from sudo itself, not from this module.

From sudoers manpage:

The #includedir directive can be used to create a sudoers.d directory that the system package manager can drop sudoers file rules into as part of package installation.

@gilljb
Copy link

gilljb commented Nov 12, 2019

I'm still seeing the error in 6.0.0

class { 'sudo':
config_file_replace => false,
includedirsudoers => true,
}

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Class[Sudo]: has no parameter named 'includedirsudoers' (file: /etc/puppetlabs/code/environments/sudo_includedirsudoers/site/csd_base/manifests/access/sudo/add_sudoers.pp, line: 10, column: 3) on node

@nicoloba
Copy link

Hi!
So, how is the right way to declare #includedir inside the class?

Thanks in advance!

@saz saz closed this as completed in 82c3e27 May 13, 2024
saz added a commit that referenced this issue May 13, 2024
@saz
Merge pull request #305 from saz/remove-includedirsudoers-README
b6f6cbc 
Remove parameters from README.md, mention REFERENCE.md, fixes #197
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@saz saz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@saz @jameskirsop @mdella @ubellavance @esalberg @gilljb @nicoloba