Ask Your Question

Augeas[sudousers]: Could not evaluate: missing string argument 2 for set when applying sudoers puppet module

asked 2016-09-29 04:25:39 -0600

KevW77 gravatar image


Firstly, let me say that I'm not a puppet or augeas expert so apologies if this is code is a bit of a dogs breakfast!!

I've hit a problem and I was wondering if anyone could help?

I've cobbled together a puppet module from studying various sources to negate requiretty and insert the following lines into my /etc/sudoers file on a RHEL7 host.

nagios  ALL = NOPASSWD: /sbin/iptables
Defaults    !env_reset
Defaults    env_delete-="PYTHONPATH"
Cmnd_Alias PRIVACC = /opt/commands/
User_Alias PRIVUSR = %groupa,%groupb,%groupc,%groupd

Here is the module:

class rh7config::sudoers_config {
        augeas{ "sudousers" :
                context => "/files/etc/sudoers",
                changes => [
                "set /spec[user = 'nagios']/user 'nagios'",
                "set /spec[user = 'nagios']/host_group",
                "set /spec[user = 'nagios']/host_group/host 'ALL'",
                "set /spec[user = 'nagios']/host_group/command '/sbin/iptables'",
                "set /spec[user = 'nagios']/host_group/command/tag 'NOPASSWD'",

                "set /spec[user = 'PRIVUSR']/user 'PRIVUSR'",
                "set /spec[user = 'PRIVUSR']/host_group",
                "set /spec[user = 'PRIVUSR']/host_group/host 'ALL'",
                "set /spec[user = 'PRIVUSR']/host_group/command 'PRIVACC'",
                "set /spec[user = 'PRIVUSR']/host_group/command/tag 'NOPASSWD'",

                "set /User_Alias[alias/name = 'PRIVUSR']/alias/name 'PRIVUSR'",
                "set /User_Alias[alias/name = 'PRIVUSR']/alias/user[1] '%groupa'",
                "set /User_Alias[alias/name = 'PRIVUSR']/alias/user[2] '%groupb'",
                "set /User_Alias[alias/name = 'PRIVUSR']/alias/user[3] '%groupc'",
                "set /User_Alias[alias/name = 'PRIVUSR']/alias/user[4] '%groupd'",

                "set /Cmnd_Alias[alias/name = 'PRIVACC']/alias/name 'PRIVACC'",
                "set /Cmnd_Alias[alias/name = 'PRIVACC']/alias/command '/opt/commands/'",

                "set /*[env_reset]/env_reset/negate",
                "set /*[requiretty]/requiretty/negate",

                "ins Defaults before /Defaults[5]",
                "set /Defaults[5]/env_delete",
                "set /Defaults[5]/env_delete/remove",
                "set /Defaults[5]/env_delete/var 'PYTHONPATH'",
        onlyif => "match path[. = '/run'] size == 0", #required for insert above

These Augeas commands seem to work from the augtool command line but when I run a puppet agent -t, it errors with the message:

Error: /Stage[main]/Rh7config::Sudoers_config/Augeas[sudousers]: Could not evaluate: missing string argument 2 for set

I was wondering if anyone could see anything obvious in the code above as I'm stumped.

Any help would be greatly appreciated!


edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2016-09-30 08:59:55 -0600

KevW77 gravatar image

updated 2016-10-05 05:19:40 -0600

Thanks to you both for your invaluable help!

I removed the offending lines as they were not needed, and passed empty values to some of the set commands such as:

'set *[requiretty]/requiretty/negate ""',

as these were also causing the "missing string argument 2 for set" errors.

I then corrected the relative/absolute path issue.

The working module is as follows:

class rh7config::sudoers_config {
        augeas{ 'sudousers': 
            context => '/files/etc/sudoers',
            changes => [ 
            'set spec[user = "nagios"]/user "nagios"',
            'set spec[user = "nagios"]/host_group/host "ALL"',
            'set spec[user = "nagios"]/host_group/command "/sbin/iptables"',
            'set spec[user = "nagios"]/host_group/command/tag "NOPASSWD"',

            'set spec[user = "PRIVUSR"]/user "PRIVUSR"',
            'set spec[user = "PRIVUSR"]/host_group/host "ALL"',
            'set spec[user = "PRIVUSR"]/host_group/command "PRIVACC"',
            'set spec[user = "PRIVUSR"]/host_group/command/tag "NOPASSWD"',

            'set User_Alias[alias/name = "PRIVUSR"]/alias/name "PRIVUSR"',
            'set User_Alias[alias/name = "PRIVUSR"]/alias/user[1] "%groupa"',
            'set User_Alias[alias/name = "PRIVUSR"]/alias/user[2] "%groupb"',
            'set User_Alias[alias/name = "PRIVUSR"]/alias/user[3] "%groupc"',
            'set User_Alias[alias/name = "PRIVUSR"]/alias/user[4] "%groupd"',

            'set Cmnd_Alias[alias/name = "PRIVACC"]/alias/name "PRIVACC"',
            'set Cmnd_Alias[alias/name = "PRIVACC"]/alias/command "/opt/commands/"',

            'set *[env_reset]/env_reset/negate ""',
            'set *[requiretty]/requiretty/negate ""',
        augeas{ 'pythonpath': 
            context => '/files/etc/sudoers',
            changes => [
            'ins Defaults before Defaults[5]',
            'set Defaults[5]/env_delete/remove ""',
            'set Defaults[5]/env_delete/var "PYTHONPATH"',
            onlyif => "match Defaults[*]/env_delete[var = 'PYTHONPATH'] size == 0", #required for insert above
edit flag offensive delete link more

answered 2016-09-29 09:51:30 -0600

DarylW gravatar image

the set command takes two arguments. I've normally run into that error where I was building up a file using variables, and I had a variable that was empty so it put in an empty string. In your case, I think the problem is this line..

            "set /spec[user = 'nagios']/host_group",

That looks like it only has one argument (the position to set), and not the second argument (the value to set).

The error output isn't helpful, and sometimes your best course of action is to comment out lines, and then either brute force or binary search to find the offending line.

Like I said, I have had issues before where I had a statement like the following, but for some reason myhostgroup was undefined/empty

            "set /spec[user = 'nagios']/host_group ${my_host_group}",
edit flag offensive delete link more


Ah Thanks for your reply! I couldn't find any documentation on what I needed so I veiwed the augeas configuration of an already configured sudoers file and reverse engineered it. Armed with this new information I'm not sure I need those lines at all - I'll try a few things and report back. Cheers

KevW77 gravatar imageKevW77 ( 2016-09-30 03:40:25 -0600 )edit

Slimming down the module, and removing those lines has helped so thanks for that! :). I see commands being sent to augeas, However nothing applies, I get the error: Debug: Augeas[sudousers](provider=augeas): Skipping because no files were changed The demoralising quest for automation continues :(

KevW77 gravatar imageKevW77 ( 2016-09-30 06:24:59 -0600 )edit

Remove the leading / from all of those lines, it will set the Augeas path /spec when you actually mean to be setting /files/etc/sudoers/spec. If you just write "spec" it's a relative path (relative to the context), but when prefixed with "/" it's absolute.

domcleal gravatar imagedomcleal ( 2016-09-30 07:30:35 -0600 )edit

Perfect! that was the final piece of the puzzle - thanks very much! I'll post the functioning module in a sec for completeness - thanks so much to you both!

KevW77 gravatar imageKevW77 ( 2016-09-30 08:52:33 -0600 )edit

I couldn't fit the working module in a comment, so I had to put it in an answer...

KevW77 gravatar imageKevW77 ( 2016-09-30 09:01:05 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2016-09-29 04:25:39 -0600

Seen: 639 times

Last updated: Oct 05 '16