kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 34 Pull Requests 2 Projects 1 Activity

Remove the sudo cookbook 

Chef 14 ships with a sudo resource:
https://docs.chef.io/resource_sudo.html
This commit is contained in:
Greg 2019-04-02 12:17:06 +02:00
parent 2f599ffd6d
commit 73d1722d4b
15 changed files with 6 additions and 958 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Berksfile
View File

@ -28,7 +28,6 @@ cookbook 'poise-javascript', git: 'https://github.com/poise/poise-javascri
cookbook 'poise-archive', '~> 1.5.0'
cookbook 'poise-service', '~> 1.5.2'
cookbook 'users', '~> 5.3.1'
cookbook 'sudo', '~> 5.3.3'
cookbook 'hostname', '= 0.4.2'
cookbook 'firewall', '~> 2.6.3'
cookbook 'nginx', '= 9.0.0'

2
Berksfile.lock
View File

@ -52,7 +52,6 @@ DEPENDENCIES
git: https://github.com/phlipper/chef-redis.git
revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b
ref: v0.5.6
sudo (~> 5.3.3)
timezone_iii (= 1.0.4)
users (~> 5.3.1)
windows (= 3.1.1)
@ -193,7 +192,6 @@ GRAPH
windows (>= 1.2.2)
smf (2.2.8)
rbac (>= 1.0.1)
sudo (5.3.3)
tar (2.2.0)
timezone_iii (1.0.4)
users (5.3.1)

293
cookbooks/sudo/CHANGELOG.md
View File

@ -1,293 +0,0 @@
# sudo Cookbook CHANGELOG
This file is used to list changes made in each version of the sudo cookbook.
## 5.3.3 (2018-03-22)
- Properly deprecate the undocumented visudo_path property for visudo_binary. Without realizing it later on when I went to make a release I changed the behavior of this property. It was never documented in the readme or the changelog so I suspect few people are using it, but just in case we fail hard on the old name now with helpful messaging.
- Properly return true in method that looks for visudo
- Avoid name conflicts between properties and the path helper method
## 5.3.2 (2018-03-22)
- Restore resource behavior on FreeBSD.
## 5.3.1 (2018-03-13)
- Use visudo_path property to override the path to visudo
- Handle poorly deliminated strings in the users property
- Add backwards compatibility for the :delete action
## 5.3.0 (2018-03-13)
- Use the includedir directive on Solaris and macOS in addition to Linux. All three of these platforms support it out of the box on non-EOL releases
- Fail with a useful message in the resource when on FreeBSD since FreeBSD doesn't support sudoers.d`
- Skip / warn if visudo isn't present where we expect it to be instead of failing hard
- Fully support macOS in the resource and recipe
## 5.2.0 (2018-03-13)
- Refactored the resource to use Chef's built in template verification functionality. This avoids a lot of custom work we did in the resource to verify the config file before we wrote it out. Not only does this reduce code complexity/fragility in this cookbook, it removes the double template resource you'd see in converges before.
## 5.1.0 (2018-03-13)
- Rework the readme to with additional documentation on the resource
- Fix a compilation failure if the user was specifying their own template
- Improve the conditions in which the property validation fails
- Renamed the group property to groups with backwards compatibility
- Renamed the user property to users with backwards compatibility
- Change the type of users/groups to Arrays so you can either specify comma separated lists or arrays of users/groups
- Improve the splitting of the list of users/groups to handle spaces before/after the commas
- Properly add % to each group name in arrays as well as comma separated lists. Also support the scenario where one group has a % and the other does not
- Support setting up sudo for both users and groups in the same config. We now combine the users and groups as you would expect
## 5.0.0 (2018-03-11)
- Converted the LWRP to a custom resource
- Changed the package install logic to only try to install sudo when we're on a docker guest where sudo is generally missing. This uses the docker? helper which requires 12.21.3, which is the new minimum Chef version supported by this cookbook
- The property validation logic previously in the resource is now actually run. This prevents combinations of resources that will not work together from being used.
- Reordered the readme to list the resource first as this is the preferred way to use this resource
- Removed the `node['authorization']['sudo']['prefix']` attribute. In the recipe this is automatically determined. In the resource there is a new `config_prefix` property. This should have no impact on users as the proper settings for each OS are still specified.
- Added a new filename name_property is you want to specify the filename as something different than the resource's name. This helps avoid resource cloning issues.
- The `:install` action has been renamed to `:create`, while retaining backwards compatibility with the old name
- Resolved FC085 Foodcritic warning
## 4.0.1 (2018-02-16)
- FIX: in templates the attribute "passwordless" and other with data type String always will be return true
- Add an attribute for setting sudoers.d mode
- Removed the ChefSpec matchers. These are now autogenerated by ChefSpec. If you are seeing matcher failure upgrade to ChefDK 2.4 or later.
## 4.0.0 (2017-11-28)
### Breaking Changes
- sudo .d functionality is now enabled by default on Linux systems. This allows the sudo resource to function with setting `node['authorization']['sudo']['include_sudoers_d']` to true. Only some older / EoL distros this will break sudo functionality so make sure you test this and set it to false if you're running an EoL distro
- The `sysadmin` group is no longer added to sudoers by default anymore. Historically many community cookbooks assumed all admins were in this sysadmins group. We've moved away from that assumption since it was a suprise to many when this group was added. If you rely on this behavior make sure to `node['authorization']['sudo']['groups']` attribute to inlude the sysadmin group.
### Other Changes
- Remove the debian-isms from the sudo.d readme file which is copied onto multiple Linux systems
- Remove an old RHEL 5 example from the readme
- Fix ChefSpec warnings
- Improve Travis testing and add Debian 9 testing
- Setenv for restricted users
- Improve visudo path resolution on non-Debian distros
## 3.5.3 (2017-07-09)
- Add amazon linux to the metadata
- Remove extra spaces in the sudoer template
- Update platform names in the readme
- Replace the HTML table with markdown
## 3.5.2 (2017-06-26)
- Remove totally bogus "supports" attribute from the resource
- Revert "Remove sysadmin from default groups". We'll handle this differently going forward. Sorry for the breakage
## 3.5.1 (2017-06-21)
- Remove sysadmin from default groups as sysadmin is no longer a group we push via the users cookbook.
## 3.5.0 (2017-05-16)
- Add sudo package management to resource
## 3.4.0 (2017-04-26)
- Add lwrp support for only env_keep add/subtract
- Readme improvements
- Move the files out of the default directory since Chef >= 12 doesn't require this
- Test with Local Delivery instead of Rake
- Cookstyle fixes
- Update apache2 license string
## 3.3.1 (2017-01-17)
- fixed command_aliases in README
## 3.3.0 (2017-01-04)
- Add attributes for env_keep_add and env_keep_subtract for the base sudoers file
- Sanitize file names in the :remove action so we remove the proper files
## 3.2.0 (2016-12-27)
- Convert ~ to __ like we do for i (sudoers.d files)
## 3.1.0 (2016-10-24)
- add attribute custom_commands for user and group
## 3.0.0 (2016-09-08)
- Testing updates
- Require Chef 12.1+
## 2.11.0 (2016-08-09)
- Add support for NOEXEC flag
## v2.10.0 (2016-08-04)
- Added a warning to the LWRP if include_sudoers_d is set to false
- Enabled use_inline_resources in the LWRP
- Added IBM zlinux as a supported platform
- Added suse, opensuse, and opensuseleap to the metadata as they are now tested platforms
- Added chef_version metadata to metadata.rb
- Removed attributes from the metadata.rb as this serves little purpose
- Converted bats integration tests to inspec
- Switched from rubocop to cookstyle for Ruby linting
- Removed the need for the apt cookbook in the test suite by using the apt_update resource instead
- Switched from kitchen-docker to kitchen-dokken and enabled Debian/Opensuse platforms in Travis
## v2.9.0 (2016-02-07)
- Updated the provider to avoid writing out config files with periods in the filename when a user has a period in their name as these are skipped by the sudo package. A sudo config for invalid.user will write out a config named invalid_user now.
## v2.8.0 (2016-02-04)
- Added a new attribute to the recipe and provider for adding SETENV to sudoer config
- Updated development deps to the latest version
- Setup test kitchen to run in Travis with kitchen-docker
- Expanded the kitchen.yml config to include additional platforms
- Renamed the test recipe from fake to test
- Updated the testing and contributing docs to the latest
- Added maintainers.toml and maitainers.md
- Added a chefignore file to limit which files get uploaded to the chef server
- Added long_description to the metadata.rb
- Added source_url and issues_url for Supermarket to the metadata.rb
- Resolved all Rubocop warnings
- Updated the Chefspec to the 4.x format
- Removed kitchen cloud testing configs and gem deps
- Removed the Guardfile and the gem deps
## v2.7.2 (2015-07-10)
- Adding support for keep_env
- misc cleanup
## v2.7.1 (2014-09-18)
- [#53] - removed double space from sudoer.erb template
## v2.7.0 (2014-08-08)
- [#44] Add basic ChefSpec matchers
## v2.6.0 (2014-05-15)
- [COOK-4612] Add support for the command alias (Cmnd_Alias) directive
- [COOK-4637] - handle duplicate resources in LWRP
## v2.5.2 (2014-02-27)
Bumping version for toolchain sanity
## v2.5.0 (2014-02-27)
Bumping to 2.5.0
## v2.4.2 (2014-02-27)
[COOK-4350] - Fix issue with "Defaults" line in sudoer.erb
## v2.4.0 (2014-02-18)
**BREAKING CHANGE**: The `sysadmin` group has been removed from the template. You will lose sudo access if:
- You have users that depend on the sysadmin group for sudo access, and
- You are overriding authorization.sudo.groups, but not including `sysadmin` in the list of groups
### Bug
- **[COOK-4225](https://tickets.chef.io/browse/COOK-4225)** - Mac OS X: /etc/sudoers: syntax error when include_sudoers_d is true
### Improvement
- **[COOK-4014](https://tickets.chef.io/browse/COOK-4014)** - It should be possible to remove the 'sysadmin' group setting from /etc/sudoers
- **[COOK-3643](https://tickets.chef.io/browse/COOK-3643)** - FreeBSD support for sudo cookbook
### New Feature
- **[COOK-3409](https://tickets.chef.io/browse/COOK-3409)** - enhance sudo lwrp's default template to allow defining default user parameters
## v2.3.0
### Improvement
- **[COOK-3843](https://tickets.chef.io/browse/COOK-3843)** - Make cookbook 'sudo' compatible with Mac OS X
## v2.2.2
### Improvement
- **[COOK-3653](https://tickets.chef.io/browse/COOK-3653)** - Change template attribute to kind_of String
- **[COOK-3572](https://tickets.chef.io/browse/COOK-3572)** - Add Test Kitchen, Specs, and Travis CI
### Bug
- **[COOK-3610](https://tickets.chef.io/browse/COOK-3610)** - Document "Runas" attribute not described in the LWRP Attributes section
- **[COOK-3431](https://tickets.chef.io/browse/COOK-3431)** - Validate correctly with `visudo`
## v2.2.0
### New Feature
- **[COOK-3056](https://tickets.chef.io/browse/COOK-3056)** - Allow custom sudoers config prefix
## v2.1.4
This is a bugfix for 11.6.0 compatibility, as we're not monkey-patching Erubis::Context.
### Bug
- [COOK-3399]: Remove node attribute in comment of sudoers templates
## v2.1.2
### Bug
- [COOK-2388]: Chef::ShellOut is deprecated, please use Mixlib::ShellOut
- [COOK-2814]: Incorrect syntax in README example
## v2.1.0
- [COOK-2388] - Chef::ShellOut is deprecated, please use Mixlib::ShellOut
- [COOK-2427] - unable to install users cookbook in chef 11
- [COOK-2814] - Incorrect syntax in README example
## v2.0.4
- [COOK-2078] - syntax highlighting README on GitHub flavored markdown
- [COOK-2119] - LWRP template doesn't support multiple commands in a single block.
## v2.0.2
- [COOK-2109] - lwrp uses incorrect action on underlying file resource.
## v2.0.0
This is a major release because the LWRP's "nopasswd" attribute is changed from true to false, to match the passwordless attribute in the attributes file. This requires a change to people's LWRP use.
- [COOK-2085] - Incorrect default value in the sudo LWRP's nopasswd attribute
## v1.3.0
- [COOK-1892] - Revamp sudo cookbook and LWRP
- [COOK-2022] - add an attribute for setting /etc/sudoers Defaults
## v1.2.2
- [COOK-1628] - set host in sudo lwrp
## v1.2.0
- [COOK-1314] - default package action is now :install instead of :upgrade
- [COOK-1549] - Preserve SSH agent credentials upon sudo using an attribute
## v1.1.0
- [COOK-350] - LWRP to manage sudo files via include dir (/etc/sudoers.d)
## v1.0.2
- [COOK-903] - freebsd support

2
cookbooks/sudo/CONTRIBUTING.md
View File

@ -1,2 +0,0 @@
Please refer to
https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD

294
cookbooks/sudo/README.md
View File

@ -1,294 +0,0 @@
# sudo cookbook
[![Build Status](https://travis-ci.org/chef-cookbooks/sudo.svg?branch=master)](http://travis-ci.org/chef-cookbooks/sudo) [![Cookbook Version](https://img.shields.io/cookbook/v/sudo.svg)](https://supermarket.chef.io/cookbooks/sudo)
The default recipe configures the `/etc/sudoers` file. The cookbook also includes a sudo resource to adding and removing individual sudo entries.
## Requirements
### Platforms
- Debian/Ubuntu
- RHEL/CentOS/Scientific/Amazon/Oracle
- Amazon Linux
- FreeBSD
- macOS
- openSUSE / SUSE Enterprise
### Chef
- Chef 12.21.3+
### Cookbooks
- None
## Resource
Use the sudo resource to add or remove individual sudo entries using sudoers.d files.
**Note** Sudo version 1.7.2 or newer is required to use the sudo resource as it relies on the "#includedir" directive introduced in version 1.7.2\. The resource does not enforce installing the version. Supported releases of Ubuntu, Debian and RHEL (6+) all support this feature.
### Actions
- `:create` - Create a sudoers config
- `:delete` - Delete a sudoers config
### Properties
Property | Description | Example Value | Default Value
------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ---------------
`filename` | name of the `/etc/sudoers.d` file | restart-tomcat | resource's name
`commands` | array of commands this sudoer can execute | ['/etc/init.d/tomcat restart'] | ['ALL']
`groups` | group(s) to provide sudo privileges to. This accepts either an array or a comma separated list. Leading % on group names is optional. This property was named 'group' prior to the 5.1 cookbook release. | %admin,superadmin | []
`nopasswd` | allow running sudo without specifying a password sudo | true | false
`noexec` | prevents commands from shelling out | true | false
`runas` | User the command(s) can be run as | root | ALL
`template` | the erb template to render instead of the default | restart-tomcat.erb |
`users` | user(s) to provide sudo privileges to. This accepts either an array or a comma separated. This property was named 'user' prior to the 5.1 cookbook release. list. | [tomcat, webapp] | []
`defaults` | array of defaults this user has | ['!requiretty','env_reset'] |
`setenv` | whether to permit the preserving of environment with `sudo -E` | true | false
`env_keep_add` | array of strings to add to env_keep | ['HOME', 'MY_ENV_VAR MY_OTHER_ENV_VAR'] |
`env_keep_subtract` | array of strings to remove from env_keep | ['DISPLAY', 'MY_SECURE_ENV_VAR'] |
`variables` | the variables to pass to the custom template. Ignored if not using a custom template. | commands: ['/etc/init.d/tomcat restart'] |
**If you use the template property, all other properties will be ignored except for the variables property.**
### Examples
#### user bob sudo privileges for any command
```ruby
sudo 'bob' do
user 'bob'
end
```
#### group sysadmin passwordless sudo privileges for any command
```ruby
sudo "sysadmin" do
group "sysadmin"
nopasswd true
end
```
#### group sysadmin/superadmin and user bob passwordless sudo privileges for any command
```ruby
sudo "sysadmin" do
group ['sysadmin', 'superadmin']
user "bob"
nopasswd true
end
```
### Built-In vs. Provided Templates
The resource provides two methods for templating the sudoers config files:
1. Using the built-in template
2. Using a custom, cookbook-level template
Both methods will create the `/etc/sudoers.d/#{resourcename}` files with the correct permissions.
The resource also performs **fragment validation**. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).
#### Using the Built-in Template
```ruby
sudo 'tomcat' do
user '%tomcat' # or a username
runas 'app_user' # or 'app_user:tomcat'
commands ['/etc/init.d/tomcat restart']
end
```
#### Specifying Your Own Template
```ruby
sudo 'tomcat' do
template 'my_tomcat.erb' # local cookbook template
variables cmds: ['/etc/init.d/tomcat restart']
end
```
In either case, the following file would be generated in `/etc/sudoers.d/tomcat`
```bash
# This file is managed by Chef for node.example.com
# Do NOT modify this file directly.
%tomcat ALL=(app_user) /etc/init.d/tomcat restart
```
## Usage
We highly recommend using the sudo resource to define individual sudo entries, but this cookbook also ships with a recipe that can be included on a run_list and controlled using attributes.
### Attributes
- `node['authorization']['sudo']['groups']` - groups to enable sudo access (default: `[]`)
- `node['authorization']['sudo']['users']` - users to enable sudo access (default: `[]`)
- `node['authorization']['sudo']['passwordless']` - use passwordless sudo (default: `false`)
- `node['authorization']['sudo']['include_sudoers_d']` - include and manage `/etc/sudoers.d` (default: `true` on Linux systems. Note: older / EOL distros do not support this feature)
- `node['authorization']['sudo']['agent_forwarding']` - preserve `SSH_AUTH_SOCK` when sudoing (default: `false`)
- `node['authorization']['sudo']['sudoers_defaults']` - Array of `Defaults` entries to configure in `/etc/sudoers`
- `node['authorization']['sudo']['setenv']` - Whether to permit preserving of environment with `sudo -E` (default: `false`)
### Using the Attributes
To use attributes for defining sudoers, set the attributes above on the node (or role) itself:
```json
{
"default_attributes": {
"authorization": {
"sudo": {
"groups": ["admin", "wheel", "sysadmin"],
"users": ["jerry", "greg"],
"passwordless": "true"
}
}
}
}
```
```json
{
"default_attributes": {
"authorization": {
"sudo": {
"command_aliases": [{
"name": "TEST",
"command_list": [
"/usr/bin/ls",
"/usr/bin/cat"
]
}],
"custom_commands": {
"users": [
{
"user": "test_user",
"passwordless": true,
"command_list": [
"TEST"
]
}
],
"groups": [
{
"group": "test_group",
"passwordless": false,
"command_list": [
"TEST"
]
}
]
}
}
}
}
}
```
```ruby
# roles/example.rb
default_attributes(
"authorization" => {
"sudo" => {
"groups" => ["admin", "wheel", "sysadmin"],
"users" => ["jerry", "greg"],
"passwordless" => true
}
}
)
```
**Note that the template for the sudoers file has the group "sysadmin" with ALL:ALL permission, though the group by default does not exist.**
### Sudoers Defaults
Configure a node attribute, `node['authorization']['sudo']['sudoers_defaults']` as an array of `Defaults` entries to configure in `/etc/sudoers`. A list of examples for common platforms is listed below:
_Debian_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']
```
_Ubuntu_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'env_reset',
'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
]
```
_FreeBSD_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'env_reset',
'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
]
```
_RHEL family 6.x_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'!visiblepw',
'env_reset',
'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"',
'env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"',
'env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"',
'env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"',
'env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"',
'env_keep += "HOME"',
'always_set_home',
'secure_path = /sbin:/bin:/usr/sbin:/usr/bin'
]
```
_Mac OS X_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'env_reset',
'env_keep += "BLOCKSIZE"',
'env_keep += "COLORFGBG COLORTERM"',
'env_keep += "__CF_USER_TEXT_ENCODING"',
'env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"',
'env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"',
'env_keep += "LINES COLUMNS"',
'env_keep += "LSCOLORS"',
'env_keep += "TZ"',
'env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"',
'env_keep += "EDITOR VISUAL"',
'env_keep += "HOME MAIL"'
]
```
## Maintainers
This cookbook is maintained by Chef's Community Cookbook Engineering team. Our goal is to improve cookbook quality and to aid the community in contributing to cookbooks. To learn more about our team, process, and design goals see our [team documentation](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/COOKBOOK_TEAM.MD). To learn more about contributing to cookbooks like this see our [contributing documentation](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD), or if you have general questions about this cookbook come chat with us in #cookbok-engineering on the [Chef Community Slack](http://community-slack.chef.io/)
## License
**Copyright:** 2008-2018, Chef Software, Inc.
```
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
```

32
cookbooks/sudo/attributes/default.rb
View File

@ -1,32 +0,0 @@
#
# Cookbook:: sudo
# Attribute:: default
#
# Copyright:: 2008-2018, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
default['authorization']['sudo']['groups'] = []
default['authorization']['sudo']['users'] = []
default['authorization']['sudo']['passwordless'] = false
default['authorization']['sudo']['setenv'] = false
default['authorization']['sudo']['include_sudoers_d'] = %(solaris2, linux, darwin).include?(node['os']) ? true : false
default['authorization']['sudo']['sudoers_d_mode'] = '0755'
default['authorization']['sudo']['agent_forwarding'] = false
default['authorization']['sudo']['sudoers_defaults'] = ['!lecture,tty_tickets,!fqdn']
default['authorization']['sudo']['command_aliases'] = []
default['authorization']['sudo']['env_keep_add'] = []
default['authorization']['sudo']['env_keep_subtract'] = []
default['authorization']['sudo']['custom_commands']['users'] = []
default['authorization']['sudo']['custom_commands']['groups'] = []

6
cookbooks/sudo/files/README
View File

@ -1,6 +0,0 @@
# This will cause sudo to read and parse any files in the /etc/sudoers.d
# directory that do not end in '~' or contain a '.' character.
#
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
#

1
cookbooks/sudo/metadata.json
View File

File diff suppressed because one or more lines are too long

65
cookbooks/sudo/recipes/default.rb
View File

@ -1,65 +0,0 @@
#
# Cookbook:: sudo
# Recipe:: default
#
# Copyright:: 2008-2018, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
config_prefix = case node['platform_family']
when 'smartos'
'/opt/local/etc'
when 'freebsd'
'/usr/local/etc'
when 'mac_os_x'
'/private/etc'
else
'/etc'
end
if node['authorization']['sudo']['include_sudoers_d']
directory "#{config_prefix}/sudoers.d" do
mode node['authorization']['sudo']['sudoers_d_mode']
owner 'root'
group node['root_group']
end
cookbook_file "#{config_prefix}/sudoers.d/README" do
mode '0440'
owner 'root'
group node['root_group']
end
end
template "#{config_prefix}/sudoers" do
source 'sudoers.erb'
mode '0440'
owner 'root'
group node['root_group']
variables(
sudoers_groups: node['authorization']['sudo']['groups'],
sudoers_users: node['authorization']['sudo']['users'],
passwordless: node['authorization']['sudo']['passwordless'],
setenv: node['authorization']['sudo']['setenv'],
include_sudoers_d: node['authorization']['sudo']['include_sudoers_d'],
agent_forwarding: node['authorization']['sudo']['agent_forwarding'],
sudoers_defaults: node['authorization']['sudo']['sudoers_defaults'],
command_aliases: node['authorization']['sudo']['command_aliases'],
env_keep_add: node['authorization']['sudo']['env_keep_add'],
env_keep_subtract: node['authorization']['sudo']['env_keep_subtract'],
custom_commands_users: node['authorization']['sudo']['custom_commands']['users'],
custom_commands_groups: node['authorization']['sudo']['custom_commands']['groups'],
config_prefix: config_prefix
)
end

159
cookbooks/sudo/resources/default.rb
View File

@ -1,159 +0,0 @@
#
# Cookbook:: sudo
# Resource:: default
#
# Author:: Bryan W. Berry (<bryan.berry@gmail.com>)
# Author:: Seth Vargo (<sethvargo@gmail.com>)
# Author:: Tim Smith (<tsmith@chef.io>)
#
# Copyright:: 2011-2018, Bryan w. Berry
# Copyright:: 2012-2018, Seth Vargo
# Copyright:: 2015-2018, Chef Software, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# acording to the sudo man pages sudo will ignore files in an include dir that have a `.` or `~`
# We convert either to `__`
property :filename, String, name_property: true, coerce: proc { |x| x.gsub(/[\.~]/, '__') }
property :users, [String, Array], default: [], coerce: proc { |x| x.is_a?(Array) ? x : x.split(/\s*,\s*/) }
property :groups, [String, Array], default: [], coerce: proc { |x| coerce_groups(x) }
property :commands, Array, default: ['ALL']
property :host, String, default: 'ALL'
property :runas, String, default: 'ALL'
property :nopasswd, [true, false], default: false
property :noexec, [true, false], default: false
property :template, String
property :variables, [Hash, nil], default: nil
property :defaults, Array, default: []
property :command_aliases, Array, default: []
property :setenv, [true, false], default: false
property :env_keep_add, Array, default: []
property :env_keep_subtract, Array, default: []
property :visudo_path, String # legacy placeholder for cookbook users. We raise when used below
property :visudo_binary, String, default: '/usr/sbin/visudo'
property :config_prefix, String, default: lazy { platform_config_prefix }
# handle legacy cookbook property
def after_created
raise "The 'visudo_path' property from the sudo cookbook has been replaced with the 'visudo_binary' property. The path is now more intelligently determined and for most users specifying the path should no longer be necessary. If this resource still cannot determine the path to visudo then provide the full path to the binary with the 'visudo_binary' property." if visudo_path
end
# VERY old legacy properties
alias_method :user, :users
alias_method :group, :groups
# make sure each group starts with a %
def coerce_groups(x)
# split strings on the commas with optional spaces on either side
groups = x.is_a?(Array) ? x : x.split(/\s*,\s*/)
# make sure all the groups start with %
groups.map { |g| g[0] == '%' ? g : "%#{g}" }
end
# default config prefix paths based on platform
# @return [String]
def platform_config_prefix
case node['platform_family']
when 'smartos'
'/opt/local/etc'
when 'mac_os_x'
'/private/etc'
when 'freebsd'
'/usr/local/etc'
else
'/etc'
end
end
# Default action - install a single sudoer
action :create do
validate_properties
if docker? # don't even put this into resource collection unless we're in docker
declare_resource(:package, 'sudo') do
action :nothing
not_if 'which sudo'
end.run_action(:install)
end
target = "#{new_resource.config_prefix}/sudoers.d/"
declare_resource(:directory, target) unless ::File.exist?(target)
Chef::Log.warn("#{new_resource.filename} will be rendered, but will not take effect because the #{new_resource.config_prefix}/sudoers config lacks the includedir directive that loads configs from #{new_resource.config_prefix}/sudoers.d/!") if ::File.readlines("#{new_resource.config_prefix}/sudoers").grep(/includedir/).empty?
if new_resource.template
Chef::Log.debug('Template property provided, all other properties ignored.')
declare_resource(:template, "#{target}#{new_resource.filename}") do
source new_resource.template
mode '0440'
variables new_resource.variables
verify "#{new_resource.visudo_binary} -cf %{path}" if visudo_present?
action :create
end
else
declare_resource(:template, "#{target}#{new_resource.filename}") do
source 'sudoer.erb'
cookbook 'sudo'
mode '0440'
variables sudoer: (new_resource.groups + new_resource.users).join(','),
host: new_resource.host,
runas: new_resource.runas,
nopasswd: new_resource.nopasswd,
noexec: new_resource.noexec,
commands: new_resource.commands,
command_aliases: new_resource.command_aliases,
defaults: new_resource.defaults,
setenv: new_resource.setenv,
env_keep_add: new_resource.env_keep_add,
env_keep_subtract: new_resource.env_keep_subtract
verify "#{new_resource.visudo_binary} -cf %{path}" if visudo_present?
action :create
end
end
end
action :install do
Chef::Log.warn('The sudo :install action has been renamed :create. Please update your cookbook code for the new action')
action_create
end
action :remove do
Chef::Log.warn('The sudo :remove action has been renamed :delete. Please update your cookbook code for the new action')
action_delete
end
# Removes a user from the sudoers group
action :delete do
file "#{new_resource.config_prefix}/sudoers.d/#{new_resource.filename}" do
action :delete
end
end
action_class do
# Ensure that the inputs are valid (we cannot just use the resource for this)
def validate_properties
# if group, user, env_keep_add, env_keep_subtract and template are nil, throw an exception
raise 'You must specify users, groups, env_keep_add, env_keep_subtract, or template properties!' if new_resource.users.empty? && new_resource.groups.empty? && new_resource.template.nil? && new_resource.env_keep_add.empty? && new_resource.env_keep_subtract.empty?
# if specifying user or group and template at the same time fail
raise 'You cannot specify users or groups properties and also specify a template. To use your own template pass in all template variables using the variables property.' if (!new_resource.users.empty? || !new_resource.groups.empty?) && !new_resource.template.nil?
end
def visudo_present?
return true if ::File.exist?(new_resource.visudo_binary)
Chef::Log.warn("The visudo binary cannot be found at '#{new_resource.visudo_binary}'. Skipping sudoer file validation. If visudo is on this system you can specify the path using the 'visudo_binary' property.")
end
end

18
cookbooks/sudo/templates/default/sudoer.erb
View File

@ -1,18 +0,0 @@
# This file is managed by Chef.
# Do NOT modify this file directly.
<% @command_aliases.each do |a| -%>
Cmnd_Alias <%= a[:name].upcase %> = <%= a[:command_list].join(', ') %>
<% end -%>
<% @env_keep_add.each do |env_keep| -%>
Defaults env_keep += "<%= env_keep %>"
<% end -%>
<% @env_keep_subtract.each do |env_keep| -%>
Defaults env_keep -= "<%= env_keep %>"
<% end -%>
<% @commands.each do |command| -%>
<% unless @sudoer.empty? %><%= @sudoer %> <%= @host %>=(<%= @runas %>) <%= 'NOEXEC:' if @noexec %><%= 'NOPASSWD:' if @nopasswd.to_s == 'true' %><%= 'SETENV:' if @setenv.to_s == 'true' %><%= command %><% end -%>
<% end -%>
<% unless @defaults.empty? %>
Defaults:<%= @sudoer %> <%= @defaults.join(',') %>
<% end -%>

44
cookbooks/sudo/templates/default/sudoers.erb
View File

@ -1,44 +0,0 @@
# This file is managed by Chef.
# Do NOT modify this file directly.
<% @sudoers_defaults.each do |defaults| -%>
Defaults <%= defaults %>
<% end -%>
<% if @agent_forwarding.to_s == 'true' -%>
Defaults env_keep+=SSH_AUTH_SOCK
<% end -%>
<% @env_keep_add.each do |env_keep| -%>
Defaults env_keep += "<%= env_keep %>"
<% end -%>
<% @env_keep_subtract.each do |env_keep| -%>
Defaults env_keep -= "<%= env_keep %>"
<% end -%>
# User privilege specification
root ALL=(ALL) ALL
<% @custom_commands_users.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for user <%= commands[:user] %>
<%= commands[:user] %> ALL = <%= "NOPASSWD:" if commands[:passwordless].to_s == 'true' %><%= "SETENV:" if @setenv %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @custom_commands_groups.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for group <%= commands[:group] %>
%<%= commands[:group] %> ALL = <%= "NOPASSWD:" if commands[:passwordless].to_s == 'true' %><%= "SETENV:" if @setenv %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @command_aliases.each do |a| -%>
Cmnd_Alias <%= a[:name].upcase %> = <%= a[:command_list].join(', ') %>
<% end -%>
<% @sudoers_users.each do |user| -%>
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless.to_s == 'true' %><%= "SETENV:" if @setenv.to_s == 'true' %>ALL
<% end -%>
<% @sudoers_groups.each do |group| -%>
# Members of the group '<%= group %>' may gain root privileges
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless.to_s == 'true' %><%= "SETENV:" if @setenv.to_s == 'true' %>ALL
<% end -%>
# This is not a comment; see sudoers(5) for more information on "#include" directives
<%= "#includedir #{@config_prefix}/sudoers.d" if @include_sudoers_d.to_s == 'true' %>

33
cookbooks/sudo/templates/mac_os_x/sudoers.erb
View File

@ -1,33 +0,0 @@
# This file is managed by Chef.
# Do NOT modify this file directly.
<% @sudoers_defaults.each do |defaults| -%>
Defaults <%= defaults %>
<% end -%>
<% if @agent_forwarding.to_s == 'true' -%>
Defaults env_keep+=SSH_AUTH_SOCK
<% end -%>
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
<% @sudoers_users.each do |user| -%>
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless.to_s == 'true' %><%= "SETENV:" if @setenv.to_s == 'true' %>ALL
<% end -%>
<% @custom_commands_users.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for user <%= commands[:user] %>
<%= commands[:user] %> ALL = <%= "NOPASSWD:" if commands[:passwordless].to_s == 'true' %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @custom_commands_groups.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for group <%= commands[:group] %>
%<%= commands[:group] %> ALL = <%= "NOPASSWD:" if commands[:passwordless].to_s == 'true' %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @sudoers_groups.each do |group| -%>
# Members of the group '<%= group %>' may gain root privileges
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless.to_s == 'true' %><%= "SETENV:" if @setenv.to_s == 'true' %>ALL
<% end -%>
<%= "#includedir #{@config_prefix}/sudoers.d" if @include_sudoers_d.to_s == 'true' %>

3
site-cookbooks/kosmos-base/metadata.rb
View File

@ -4,11 +4,10 @@ maintainer_email 'mail@kosmos.org'
license 'All rights reserved'
description 'The Kosmos base cookbook'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.1'
version '0.2.0'
depends 'apt'
depends 'users'
depends 'sudo'
depends 'kosmos-postfix'
depends 'hostname'
depends 'firewall'

11
site-cookbooks/kosmos-base/recipes/default.rb
View File

@ -30,18 +30,17 @@ unless node.chef_environment == "development"
action [:remove, :create]
end
node.override['authorization']['sudo']['sudoers_defaults'] = [
sudo "sysadmin" do
groups "sysadmin"
nopasswd true
defaults [
# not default on Ubuntu, explicitely enable. Uses a minimal white list of
# environment variables
'env_reset',
# Send emails on unauthorized attempts
'mail_badpass',
'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"',
]
include_recipe "sudo"
sudo "sysadmin" do
group "sysadmin"
nopasswd true
]
end
include_recipe 'kosmos-base::firewall'