Ask Your Question
1

granualarizing sudoers

asked 2014-03-03 10:40:41 -0500

sgarre02 gravatar image

Hello,

I'm trying to make my sudoers file much more dynamic than it currently is. Right now its a monolithic file with every host, every user, every user group and what they can do as sudo.

Is there a way I can make this more granular and dynamic. For example, what I'd like to do is add a user to my accounts.pp and when I realize them on a particuler server have them be able to run sudo su - apache.

Thanks for you help!

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
2

answered 2014-03-17 08:05:06 -0500

Michal Bryxí gravatar image

updated 2014-03-17 08:06:38 -0500

Possible solution is to use augeas, which is native puppet type. It allows you to modify almost every file. Simple example of adding wheel group sudo right to run all commands without password:

 augeas { 'sudo':
    context => '/files/etc/sudoers',
    changes => [
      'set spec[user = "%wheel"]/user %wheel',
      'set spec[user = "%wheel"]/host_group/host ALL',
      'set spec[user = "%wheel"]/host_group/command[1] ALL',
      'set spec[user = "%wheel"]/host_group/command[1]/tag NOPASSWD',
      ]
  }

But I think preferred way should be to use some already crafted puppet module if any of them matches your needs.

edit flag offensive delete link more
2

answered 2014-03-03 11:48:48 -0500

ramindk gravatar image

A simple fix is to use /etc/sudoers.d/ and drop a file in per user, group, access, whatever. At the simplest it might look like

sudo ls  /etc/sudoers.d/  
00_admins
99_nagios
99_noc
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-03-03 10:40:41 -0500

Seen: 253 times

Last updated: Mar 17 '14