Augeas[sudousers]: Could not evaluate: missing string argument 2 for set when applying sudoers puppet module

Hello,

Firstly, let me say that I'm not a puppet or augeas expert so apologies if this is code is a bit of a dogs breakfast!!

I've hit a problem and I was wondering if anyone could help?

I've cobbled together a puppet module from studying various sources to negate requiretty and insert the following lines into my /etc/sudoers file on a RHEL7 host.

nagios  ALL = NOPASSWD: /sbin/iptables
PRIVUSR ALL=NOPASSWD: PRIVACC
Defaults    !env_reset
Defaults    env_delete-="PYTHONPATH"
Cmnd_Alias PRIVACC = /opt/commands/PRIVACC.py
User_Alias PRIVUSR = %groupa,%groupb,%groupc,%groupd


Here is the module:

class rh7config::sudoers_config {
augeas{ "sudousers" :
context => "/files/etc/sudoers",
changes => [
"set /spec[user = 'nagios']/user 'nagios'",
"set /spec[user = 'nagios']/host_group",
"set /spec[user = 'nagios']/host_group/host 'ALL'",
"set /spec[user = 'nagios']/host_group/command '/sbin/iptables'",
"set /spec[user = 'nagios']/host_group/command/tag 'NOPASSWD'",

"set /spec[user = 'PRIVUSR']/user 'PRIVUSR'",
"set /spec[user = 'PRIVUSR']/host_group",
"set /spec[user = 'PRIVUSR']/host_group/host 'ALL'",
"set /spec[user = 'PRIVUSR']/host_group/command 'PRIVACC'",
"set /spec[user = 'PRIVUSR']/host_group/command/tag 'NOPASSWD'",

"set /User_Alias[alias/name = 'PRIVUSR']/alias/name 'PRIVUSR'",
"set /User_Alias[alias/name = 'PRIVUSR']/alias/user[1] '%groupa'",
"set /User_Alias[alias/name = 'PRIVUSR']/alias/user[2] '%groupb'",
"set /User_Alias[alias/name = 'PRIVUSR']/alias/user[3] '%groupc'",
"set /User_Alias[alias/name = 'PRIVUSR']/alias/user[4] '%groupd'",

"set /Cmnd_Alias[alias/name = 'PRIVACC']/alias/name 'PRIVACC'",
"set /Cmnd_Alias[alias/name = 'PRIVACC']/alias/command '/opt/commands/PRIVACC.py'",

"set /*[env_reset]/env_reset/negate",
"set /*[requiretty]/requiretty/negate",

"ins Defaults before /Defaults[5]",
"set /Defaults[5]/env_delete",
"set /Defaults[5]/env_delete/remove",
"set /Defaults[5]/env_delete/var 'PYTHONPATH'",
],
onlyif => "match path[. = '/run'] size == 0", #required for insert above
}
}


These Augeas commands seem to work from the augtool command line but when I run a puppet agent -t, it errors with the message:

Error: /Stage[main]/Rh7config::Sudoers_config/Augeas[sudousers]: Could not evaluate: missing string argument 2 for set

I was wondering if anyone could see anything obvious in the code above as I'm stumped.

Any help would be greatly appreciated!

Kev

edit retag close merge delete

Sort by » oldest newest most voted

Thanks to you both for your invaluable help!

I removed the offending lines as they were not needed, and passed empty values to some of the set commands such as:

'set *[requiretty]/requiretty/negate ""',


as these were also causing the "missing string argument 2 for set" errors.

I then corrected the relative/absolute path issue.

The working module is as follows:

class rh7config::sudoers_config {
augeas{ 'sudousers':
context => '/files/etc/sudoers',
changes => [
'set spec[user = "nagios"]/user "nagios"',
'set spec[user = "nagios"]/host_group/host "ALL"',
'set spec[user = "nagios"]/host_group/command "/sbin/iptables"',
'set spec[user = "nagios"]/host_group/command/tag "NOPASSWD"',

'set spec[user = "PRIVUSR"]/user "PRIVUSR"',
'set spec[user = "PRIVUSR"]/host_group/host "ALL"',
'set spec[user = "PRIVUSR"]/host_group/command "PRIVACC"',
'set spec[user = "PRIVUSR"]/host_group/command/tag "NOPASSWD"',

'set User_Alias[alias/name = "PRIVUSR"]/alias/name "PRIVUSR"',
'set User_Alias[alias/name = "PRIVUSR"]/alias/user[1] "%groupa"',
'set User_Alias[alias/name = "PRIVUSR"]/alias/user[2] "%groupb"',
'set User_Alias[alias/name = "PRIVUSR"]/alias/user[3] "%groupc"',
'set User_Alias[alias/name = "PRIVUSR"]/alias/user[4] "%groupd"',

'set Cmnd_Alias[alias/name = "PRIVACC"]/alias/name "PRIVACC"',
'set Cmnd_Alias[alias/name = "PRIVACC"]/alias/command "/opt/commands/PRIVACC.py"',

'set *[env_reset]/env_reset/negate ""',
'set *[requiretty]/requiretty/negate ""',
],
}
augeas{ 'pythonpath':
context => '/files/etc/sudoers',
changes => [
'ins Defaults before Defaults[5]',
'set Defaults[5]/env_delete/remove ""',
'set Defaults[5]/env_delete/var "PYTHONPATH"',
],
onlyif => "match Defaults[*]/env_delete[var = 'PYTHONPATH'] size == 0", #required for insert above
}
}

more

the set command takes two arguments. I've normally run into that error where I was building up a file using variables, and I had a variable that was empty so it put in an empty string. In your case, I think the problem is this line..

            "set /spec[user = 'nagios']/host_group",


That looks like it only has one argument (the position to set), and not the second argument (the value to set).

The error output isn't helpful, and sometimes your best course of action is to comment out lines, and then either brute force or binary search to find the offending line.

Like I said, I have had issues before where I had a statement like the following, but for some reason myhostgroup was undefined/empty

            "set /spec[user = 'nagios']/host_group \${my_host_group}",

more

Ah Thanks for your reply! I couldn't find any documentation on what I needed so I veiwed the augeas configuration of an already configured sudoers file and reverse engineered it. Armed with this new information I'm not sure I need those lines at all - I'll try a few things and report back. Cheers

( 2016-09-30 03:40:25 -0500 )edit

Slimming down the module, and removing those lines has helped so thanks for that! :). I see commands being sent to augeas, However nothing applies, I get the error: Debug: Augeas[sudousers](provider=augeas): Skipping because no files were changed The demoralising quest for automation continues :(

( 2016-09-30 06:24:59 -0500 )edit
1

Remove the leading / from all of those lines, it will set the Augeas path /spec when you actually mean to be setting /files/etc/sudoers/spec. If you just write "spec" it's a relative path (relative to the context), but when prefixed with "/" it's absolute.

( 2016-09-30 07:30:35 -0500 )edit

Perfect! that was the final piece of the puzzle - thanks very much! I'll post the functioning module in a sec for completeness - thanks so much to you both!

( 2016-09-30 08:52:33 -0500 )edit

I couldn't fit the working module in a comment, so I had to put it in an answer...

( 2016-09-30 09:01:05 -0500 )edit