chef/cookbooks/sudo/metadata.json


			
				
					
						
						
						
							
							
							{"name":"sudo","version":"3.3.1","description":"Installs sudo and configures /etc/sudoers","long_description":"# sudo cookbook\n\n[![Build Status](https://travis-ci.org/chef-cookbooks/sudo.svg?branch=master)](http://travis-ci.org/chef-cookbooks/sudo) [![Cookbook Version](https://img.shields.io/cookbook/v/sudo.svg)](https://supermarket.chef.io/cookbooks/sudo)\n\nThe Chef `sudo` cookbook installs the `sudo` package and configures the `/etc/sudoers` file.\n\nIt also exposes an LWRP for adding and managing sudoers.\n\n## Requirements\n\n### Platforms\n\n- Debian/Ubuntu\n- RHEL/CentOS/Scientific/Amazon/Oracle\n- FreeBSD\n- Mac OS X\n- openSUSE / Suse\n\n### Chef\n\n- Chef 12.1+\n\n### Cookbooks\n\n- None\n\n## Attributes\n- `node['authorization']['sudo']['groups']` - groups to enable sudo access (default: `[ \"sysadmin\" ]`)\n- `node['authorization']['sudo']['users']` - users to enable sudo access (default: `[]`)\n- `node['authorization']['sudo']['passwordless']` - use passwordless sudo (default: `false`)\n- `node['authorization']['sudo']['include_sudoers_d']` - include and manage `/etc/sudoers.d` (default: `false`)\n- `node['authorization']['sudo']['agent_forwarding']` - preserve `SSH_AUTH_SOCK` when sudoing (default: `false`)\n- `node['authorization']['sudo']['sudoers_defaults']` - Array of `Defaults` entries to configure in `/etc/sudoers`\n- `node['authorization']['sudo']['setenv']` - Whether to permit preserving of environment with `sudo -E` (default: `false`)\n\n## Usage\n### Attributes\nTo use attributes for defining sudoers, set the attributes above on the node (or role) itself:\n\n```json\n{\n  \"default_attributes\": {\n    \"authorization\": {\n      \"sudo\": {\n        \"groups\": [\"admin\", \"wheel\", \"sysadmin\"],\n        \"users\": [\"jerry\", \"greg\"],\n        \"passwordless\": \"true\"\n      }\n    }\n  }\n}\n```\n\n```json\n{\n  \"default_attributes\": {\n    \"authorization\": {\n      \"sudo\": {\n        \"command_aliases\": [{\n          \"name\": \"TEST\",\n          \"command_list\": [\n            \"/usr/bin/ls\",\n            \"/usr/bin/cat\"\n          ]\n        }],\n        \"custom_commands\": {\n          \"users\": [\n            {\n              \"user\": \"test_user\",\n              \"passwordless\": true,\n              \"command_list\": [\n                \"TEST\"\n              ]\n            }\n          ],\n          \"groups\": [\n            {\n              \"group\": \"test_group\",\n              \"passwordless\": false,\n              \"command_list\": [\n                \"TEST\"\n              ]\n            }\n          ]\n        }\n      }\n    }\n  }\n}\n```\n\n```ruby\n# roles/example.rb\ndefault_attributes(\n  \"authorization\" => {\n    \"sudo\" => {\n      \"groups\" => [\"admin\", \"wheel\", \"sysadmin\"],\n      \"users\" => [\"jerry\", \"greg\"],\n      \"passwordless\" => true\n    }\n  }\n)\n```\n\n**Note that the template for the sudoers file has the group \"sysadmin\" with ALL:ALL permission, though the group by default does not exist.**\n\n### Sudoers Defaults\nConfigure a node attribute, `node['authorization']['sudo']['sudoers_defaults']` as an array of `Defaults` entries to configure in `/etc/sudoers`. A list of examples for common platforms is listed below:\n\n_Debian_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']\n```\n\n_Ubuntu 10.04_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']\n```\n\n_Ubuntu 12.04_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = [\n  'env_reset',\n  'secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'\n]\n```\n\n_FreeBSD_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = [\n  'env_reset',\n  'secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"'\n]\n```\n\n_RHEL family 5.x_ The version of sudo in RHEL 5 may not support `+=`, as used in `env_keep`, so its a single string.\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = [\n  '!visiblepw',\n  'env_reset',\n  'env_keep = \"COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \\\n               LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \\\n               LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \\\n               LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \\\n               LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \\\n               _XKB_CHARSET XAUTHORITY\"'\n]\n```\n\n_RHEL family 6.x_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = [\n  '!visiblepw',\n  'env_reset',\n  'env_keep =  \"COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS\"',\n  'env_keep += \"MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\"',\n  'env_keep += \"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\"',\n  'env_keep += \"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\"',\n  'env_keep += \"LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\"',\n  'env_keep += \"HOME\"',\n  'always_set_home',\n  'secure_path = /sbin:/bin:/usr/sbin:/usr/bin'\n]\n```\n\n_Mac OS X_\n\n```ruby\nnode.default['authorization']['sudo']['sudoers_defaults'] = [\n  'env_reset',\n  'env_keep += \"BLOCKSIZE\"',\n  'env_keep += \"COLORFGBG COLORTERM\"',\n  'env_keep += \"__CF_USER_TEXT_ENCODING\"',\n  'env_keep += \"CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE\"',\n  'env_keep += \"LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME\"',\n  'env_keep += \"LINES COLUMNS\"',\n  'env_keep += \"LSCOLORS\"',\n  'env_keep += \"TZ\"',\n  'env_keep += \"DISPLAY XAUTHORIZATION XAUTHORITY\"',\n  'env_keep += \"EDITOR VISUAL\"',\n  'env_keep += \"HOME MAIL\"'\n]\n```\n\n### LWRP\n**Note** Sudo version 1.7.2 or newer is required to use the sudo LWRP as it relies on the \"#includedir\" directive introduced in version 1.7.2. The recipe does not enforce installing the version. To use this LWRP, set `node['authorization']['sudo']['include_sudoers_d']` to `true`.\n\nThere are two ways for rendering a sudoer-fragment using this LWRP:\n1. Using the built-in template\n2. Using a custom, cookbook-level template\n\nBoth methods will create the `/etc/sudoers.d/#{resourcename}` file with the correct permissions.\n\nThe LWRP also performs **fragment validation**. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).\n\nExample using the built-in template:\n\n```ruby\nsudo 'tomcat' do\n  user      \"%tomcat\"    # or a username\n  runas     'app_user'   # or 'app_user:tomcat'\n  commands  ['/etc/init.d/tomcat restart']\nend\n```\n\n```ruby\nsudo 'tomcat' do\n  template    'my_tomcat.erb' # local cookbook template\n  variables   :cmds => ['/etc/init.d/tomcat restart']\nend\n```\n\nIn either case, the following file would be generated in `/etc/sudoers.d/tomcat`\n\n```bash\n# This file is managed by Chef for node.example.com\n# Do NOT modify this file directly.\n\n%tomcat ALL=(app_user) /etc/init.d/tomcat restart\n```\n\n#### LWRP Attributes\n<table>\n  <thead>\n    <tr>\n      <th>Attribute</th>\n      <th>Description</th>\n      <th>Example</th>\n      <th>Default</th>\n    </tr>\n  </thead>\n\n  <tbody>\n    <tr>\n      <td>name</td>\n      <td>name of the `/etc/sudoers.d` file</td>\n      <td><tt>restart-tomcat</tt></td>\n      <td>current resource name</td>\n    </tr>\n    <tr>\n      <td>commands</td>\n      <td>array of commands this sudoer can execute</td>\n      <td><tt>['/etc/init.d/tomcat restart']</tt></td>\n      <td><tt>['ALL']</tt></td>\n    </tr>\n    <tr>\n      <td>group</td>\n      <td>group to provide sudo privileges to, except `%` is prepended to the name in\ncase it is not already</td>\n      <td><tt>%admin</tt></td>\n      <td></td>\n    </tr>\n    <tr>\n      <td>nopasswd</td>\n      <td>supply a password to invoke sudo</td>\n      <td><tt>true</tt></td>\n      <td><tt>false</tt></td>\n    </tr>\n    <tr>\n      <td>noexec</td>\n      <td>prevents commands from shelling out</td>\n      <td><tt>true</tt></td>\n      <td><tt>false</tt></td>\n    </tr>\n    <tr>\n      <td>runas</td>\n      <td>User the command(s) can be run as</td>\n      <td><tt>root</tt></td>\n      <td><tt>ALL</tt></td>\n    </tr>\n    <tr>\n      <td>template</td>\n      <td>the erb template to render instead of the default</td>\n      <td><tt>restart-tomcat.erb</tt></td>\n      <td></td>\n    </tr>\n    <tr>\n      <td>user</td>\n      <td>user to provide sudo privileges to</td>\n      <td><tt>tomcat</tt></td>\n      <td></td>\n    </tr>\n    <tr>\n      <td>defaults</td>\n      <td>array of defaults this user has</td>\n      <td><tt>['!requiretty','env_reset']</tt></td>\n      <td></td>\n    </tr>\n    <tr>\n      <td>setenv</td>\n      <td>whether to permit the preserving of environment with `sudo -E`</td>\n      <td><tt>true</tt></td>\n      <td><tt><false></tt></td>\n    </tr>\n    <tr>\n      <td>env_keep_add</td>\n      <td>array of strings to add to env_keep</td>\n      <td><tt>['HOME', 'MY_ENV_VAR MY_OTHER_ENV_VAR']</tt></td>\n      <td></td>\n    </tr>\n    <tr>\n      <td>env_keep_subtract</td>\n      <td>array of strings to remove from env_keep</td>\n      <td><tt>['DISPLAY', 'MY_SECURE_ENV_VAR']</tt></td>\n      <td></td>\n    </tr>\n    <tr>\n      <td>variables</td>\n      <td>the variables to pass to the custom template</td>\n      <td><tt>:commands => ['/etc/init.d/tomcat restart']</tt></td>\n      <td></td>\n    </tr>\n  </tbody>\n</table>\n\n**If you use the template attribute, all other attributes will be ignored except for the variables attribute.**\n\n## Development\nThis section details \"quick development\" steps. For a detailed explanation, see [[Contributing.md]].\n- Clone this repository from GitHub:\n\n  ```\n   $ git clone git@github.com:chef-cookbooks/sudo.git\n  ```\n\n- Create a git branch\n\n  ```\n   $ git checkout -b my_bug_fix\n  ```\n\n- Install dependencies:\n\n  ```\n   $ bundle install\n  ```\n\n- Make your changes/patches/fixes, committing appropiately\n- **Write tests**\n- Run the tests:\n  - `bundle exec foodcritic -f any .`\n  - `bundle exec rspec`\n  - `bundle exec rubocop`\n  - `bundle exec kitchen test`\n\n    In detail:\n\n  - Foodcritic will catch any Chef-specific style errors\n  - RSpec will run the unit tests\n  - Rubocop will check for Ruby-specific style errors\n  - Test Kitchen will run and converge the recipes\n\n## License & Authors\n**Author:** Bryan W. Berry [bryan.berry@gmail.com](mailto:bryan.berry@gmail.com)\n\n**Author:** Cookbook Engineering Team ([cookbooks@chef.io](mailto:cookbooks@chef.io))\n\n**Copyright:** 2008-2016, Chef Software, Inc.\n\n```\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache 2.0","platforms":{"redhat":">= 0.0.0","centos":">= 0.0.0","fedora":">= 0.0.0","ubuntu":">= 0.0.0","debian":">= 0.0.0","freebsd":">= 0.0.0","mac_os_x":">= 0.0.0","oracle":">= 0.0.0","scientific":">= 0.0.0","zlinux":">= 0.0.0","suse":">= 0.0.0","opensuse":">= 0.0.0","opensuseleap":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{"sudo":"Installs sudo and configures /etc/sudoers"}}
						
						
					
				
				
					
						Reference in New Issue
					
					View Git Blame
					Copy Permalink