kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity
chef/cookbooks/sudo/metadata.json
Greg Karékinian 157ccdc8b7 Update nodejs, sudo and users cookbooks
2018-04-17 13:18:09 +02:00

1 line
13 KiB
JSON
Raw Blame History

{"name":"sudo","version":"5.3.3","description":"Installs sudo and configures /etc/sudoers","long_description":"# sudo cookbook\n\n[![Build Status](https://travis-ci.org/chef-cookbooks/sudo.svg?branch=master)](http://travis-ci.org/chef-cookbooks/sudo) [![Cookbook Version](https://img.shields.io/cookbook/v/sudo.svg)](https://supermarket.chef.io/cookbooks/sudo)\n\nThe default recipe configures the `/etc/sudoers` file. The cookbook also includes a sudo resource to adding and removing individual sudo entries.\n\n## Requirements\n\n### Platforms\n\n- Debian/Ubuntu\n- RHEL/CentOS/Scientific/Amazon/Oracle\n- Amazon Linux\n- FreeBSD\n- macOS\n- openSUSE / SUSE Enterprise\n\n### Chef\n\n- Chef 12.21.3+\n\n### Cookbooks\n\n- None\n\n## Resource\n\nUse the sudo resource to add or remove individual sudo entries using sudoers.d files.\n\n**Note** Sudo version 1.7.2 or newer is required to use the sudo resource as it relies on the \"#includedir\" directive introduced in version 1.7.2\\. The resource does not enforce installing the version. Supported releases of Ubuntu, Debian and RHEL (6+) all support this feature.\n\n### Actions\n\n- `:create` - Create a sudoers config\n- `:delete` - Delete a sudoers config\n\n### Properties\n\nProperty | Description | Example Value | Default Value\n------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ---------------\n`filename` | name of the `/etc/sudoers.d` file | restart-tomcat | resource's name\n`commands` | array of commands this sudoer can execute | ['/etc/init.d/tomcat restart'] | ['ALL']\n`groups` | group(s) to provide sudo privileges to. This accepts either an array or a comma separated list. Leading % on group names is optional. This property was named 'group' prior to the 5.1 cookbook release. | %admin,superadmin | []\n`nopasswd` | allow running sudo without specifying a password sudo | true | false\n`noexec` | prevents commands from shelling out | true | false\n`runas` | User the command(s) can be run as | root | ALL\n`template` | the erb template to render instead of the default | restart-tomcat.erb |\n`users` | user(s) to provide sudo privileges to. This accepts either an array or a comma separated. This property was named 'user' prior to the 5.1 cookbook release. list. | [tomcat, webapp] | []\n`defaults` | array of defaults this user has | ['!requiretty','env_reset'] |\n`setenv` | whether to permit the preserving of environment with `sudo -E` | true | false\n`env_keep_add` | array of strings to add to env_keep | ['HOME', 'MY_ENV_VAR MY_OTHER_ENV_VAR'] |\n`env_keep_subtract` | array of strings to remove from env_keep | ['DISPLAY', 'MY_SECURE_ENV_VAR'] |\n`variables` | the variables to pass to the custom template. Ignored if not using a custom template. | commands: ['/etc/init.d/tomcat restart'] |\n\n**If you use the template property, all other properties will be ignored except for the variables property.**\n\n### Examples\n\n#### user bob sudo privileges for any command\n\n```ruby\nsudo 'bob' do\n user 'bob'\nend\n```\n\n#### group sysadmin passwordless sudo privileges for any command\n\n```ruby\nsudo \"sysadmin\" do\n group \"sysadmin\"\n nopasswd true\nend\n```\n\n#### group sysadmin/superadmin and user bob passwordless sudo privileges for any command\n\n```ruby\nsudo \"sysadmin\" do\n group ['sysadmin', 'superadmin']\n user \"bob\"\n nopasswd true\nend\n```\n\n### Built-In vs. Provided Templates\n\nThe resource provides two methods for templating the sudoers config files:\n\n1. Using the built-in template\n2. Using a custom, cookbook-level template\n\nBoth methods will create the `/etc/sudoers.d/#{resourcename}` files with the correct permissions.\n\nThe resource also performs **fragment validation**. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).\n\n#### Using the Built-in Template\n\n```ruby\nsudo 'tomcat' do\n user '%tomcat' # or a username\n runas 'app_user' # or 'app_user:tomcat'\n commands ['/etc/init.d/tomcat restart']\nend\n```\n\n#### Specifying Your Own Template\n\n```ruby\nsudo 'tomcat' do\n template 'my_tomcat.erb' # local cookbook template\n variables cmds: ['/etc/init.d/tomcat restart']\nend\n```\n\nIn either case, the following file would be generated in `/etc/sudoers.d/tomcat`\n\n```bash\n# This file is managed by Chef for node.example.com\n# Do NOT modify this file directly.\n\n%tomcat ALL=(app_user) /etc/init.d/tomcat restart\n```\n\n## Usage\n\nWe highly recommend using the sudo resource to define individual sudo entries, but this cookbook also ships with a recipe that can be included on a run_list and controlled using attributes.\n\n### Attributes\n\n- `node['authorization']['sudo']['groups']` - groups to enable sudo access (default: `[]`)\n- `node['authorization']['sudo']['users']` - users to enable sudo access (default: `[]`)\n- `node['authorization']['sudo']['passwordless']` - use passwordless sudo (default: `false`)\n- `node['authorization']['sudo']['include_sudoers_d']` - include and manage `/etc/sudoers.d` (default: `true` on Linux systems. Note: older / EOL distros do not support this feature)\n- `node['authorization']['sudo']['agent_forwarding']` - preserve `SSH_AUTH_SOCK` when sudoing (default: `false`)\n- `node['authorization']['sudo']['sudoers_defaults']` - Array of `Defaults` entries to configure in `/etc/sudoers`\n- `node['authorization']['sudo']['setenv']` - Whether to permit preserving of environment with `sudo -E` (default: `false`)\n\n### Using the Attributes\n\nTo use attributes for defining sudoers, set the attributes above on the node (or role) itself:\n\n```json\n{\n \"default_attributes\": {\n \"authorization\": {\n \"sudo\": {\n \"groups\": [\"admin\", \"wheel\", \"sysadmin\"],\n \"users\": [\"jerry\", \"greg\"],\n \"passwordless\": \"true\"\n }\n }\n }\n}\n```\n\n```json\n{\n \"default_attributes\": {\n \"authorization\": {\n \"sudo\": {\n \"command_aliases\": [{\n \"name\": \"TEST\",\n \"command_list\": [\n \"/usr/bin/ls\",\n \"/usr/bin/cat\"\n ]\n }],\n \"custom_commands\": {\n \"users\": [\n {\n \"user\": \"test_user\",\n \"passwordless\": true,\n \"command_list\": [\n \"TEST\"\n ]\n }\n ],\n \"groups\": [\n {\n \"group\": \"test_group\",\n \"passwordless\": false,\n \"command_list\": [\n \"TEST\"\n ]\n }\n ]\n }\n }\n }\n }\n}\n```\n\n```ruby\n# roles/example.rb\ndefault_attributes(\n \"authorization\" => {\n \"sudo\" => {\n \"groups\" => [\"admin\", \"wheel\", \"sysadmin\"],\n \"users\" => [\"jerry\", \"greg\"],\n \"passwordless\" => true\n }\n }\n)\n```\n\n**Note that the template for the sudoers file has the group \"sysadmin\" with ALL:ALL permission, though the group by default does not exist.**\n\n### Sudoers Defaults\n\nConfigure a node attribute, `node['authorization']['sudo']['sudoers_defaults']` as an array of `Defaults` entries to configure in `/etc/sudoers`. A list of examples for common platforms is listed below:\n\n_Debian_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']\n```\n\n_Ubuntu_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = [\n 'env_reset',\n 'secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'\n]\n```\n\n_FreeBSD_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = [\n 'env_reset',\n 'secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'\n]\n```\n\n_RHEL family 6.x_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = [\n '!visiblepw',\n 'env_reset',\n 'env_keep = \"COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS\"',\n 'env_keep += \"MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\"',\n 'env_keep += \"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\"',\n 'env_keep += \"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\"',\n 'env_keep += \"LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\"',\n 'env_keep += \"HOME\"',\n 'always_set_home',\n 'secure_path = /sbin:/bin:/usr/sbin:/usr/bin'\n]\n```\n\n_Mac OS X_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = [\n 'env_reset',\n 'env_keep += \"BLOCKSIZE\"',\n 'env_keep += \"COLORFGBG COLORTERM\"',\n 'env_keep += \"__CF_USER_TEXT_ENCODING\"',\n 'env_keep += \"CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE\"',\n 'env_keep += \"LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME\"',\n 'env_keep += \"LINES COLUMNS\"',\n 'env_keep += \"LSCOLORS\"',\n 'env_keep += \"TZ\"',\n 'env_keep += \"DISPLAY XAUTHORIZATION XAUTHORITY\"',\n 'env_keep += \"EDITOR VISUAL\"',\n 'env_keep += \"HOME MAIL\"'\n]\n```\n\n## Maintainers\n\nThis cookbook is maintained by Chef's Community Cookbook Engineering team. Our goal is to improve cookbook quality and to aid the community in contributing to cookbooks. To learn more about our team, process, and design goals see our [team documentation](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/COOKBOOK_TEAM.MD). To learn more about contributing to cookbooks like this see our [contributing documentation](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD), or if you have general questions about this cookbook come chat with us in #cookbok-engineering on the [Chef Community Slack](http://community-slack.chef.io/)\n\n## License\n\n**Copyright:** 2008-2018, Chef Software, Inc.\n\n```\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"amazon":">= 0.0.0","redhat":">= 0.0.0","centos":">= 0.0.0","fedora":">= 0.0.0","ubuntu":">= 0.0.0","debian":">= 0.0.0","freebsd":">= 0.0.0","mac_os_x":">= 0.0.0","oracle":">= 0.0.0","scientific":">= 0.0.0","zlinux":">= 0.0.0","suse":">= 0.0.0","opensuse":">= 0.0.0","opensuseleap":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{"sudo":"Installs sudo and configures /etc/sudoers"},"source_url":"https://github.com/chef-cookbooks/sudo","issues_url":"https://github.com/chef-cookbooks/sudo/issues","chef_version":[[">= 12.21.3"]],"ohai_version":[]}
Reference in New Issue View Git Blame Copy Permalink