[Lsb-messages] /var/www/bzr/lsb/devel/puppet-lsb r31: Add sudo module.
Jeff Licquia
licquia at linuxfoundation.org
Sun Jan 22 22:09:53 UTC 2012
------------------------------------------------------------
revno: 31
committer: Jeff Licquia <licquia at linuxfoundation.org>
branch nick: puppet-lsb
timestamp: Sun 2012-01-22 17:09:53 -0500
message:
Add sudo module.
added:
modules/sudo/
modules/sudo/files/
modules/sudo/files/sudoers/
modules/sudo/files/sudoers/default-fedora
modules/sudo/files/sudoers/default-sles11
modules/sudo/files/sudoers/lsb1.linux-foundation.org
modules/sudo/manifests/
modules/sudo/manifests/init.pp
modified:
manifests/nodes/lsb1.pp
manifests/nodes/pmman-test.pp
-------------- next part --------------
=== modified file 'manifests/nodes/lsb1.pp'
--- a/manifests/nodes/lsb1.pp 2012-01-22 19:07:47 +0000
+++ b/manifests/nodes/lsb1.pp 2012-01-22 22:09:53 +0000
@@ -1,5 +1,7 @@
node 'lsb1.linux-foundation.org' {
+ include sudo
+
include puppet::server
include apachehttpd, apachehttpd::vhosts, apachehttpd::betaspecs
=== modified file 'manifests/nodes/pmman-test.pp'
--- a/manifests/nodes/pmman-test.pp 2012-01-22 19:07:47 +0000
+++ b/manifests/nodes/pmman-test.pp 2012-01-22 22:09:53 +0000
@@ -1,6 +1,8 @@
# Test VM on Russ Herrold's network.
node 'vm178231179.pmman.net' {
+ include sudo
+
include puppet
}
=== added directory 'modules/sudo'
=== added directory 'modules/sudo/files'
=== added directory 'modules/sudo/files/sudoers'
=== added file 'modules/sudo/files/sudoers/default-fedora'
--- a/modules/sudo/files/sudoers/default-fedora 1970-01-01 00:00:00 +0000
+++ b/modules/sudo/files/sudoers/default-fedora 2012-01-22 22:09:53 +0000
@@ -0,0 +1,98 @@
+## Sudoers allows particular users to run various commands as
+## the root user, without needing the root password.
+##
+## Examples are provided at the bottom of the file for collections
+## of related commands, which can then be delegated out to particular
+## users or groups.
+##
+## This file must be edited with the 'visudo' command.
+
+## Host Aliases
+## Groups of machines. You may prefer to use hostnames (perhaps using
+## wildcards for entire domains) or IP addresses instead.
+# Host_Alias FILESERVERS = fs1, fs2
+# Host_Alias MAILSERVERS = smtp, smtp2
+
+## User Aliases
+## These aren't often necessary, as you can use regular groups
+## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
+## rather than USERALIAS
+# User_Alias ADMINS = jsmith, mikem
+
+
+## Command Aliases
+## These are groups of related commands...
+
+## Networking
+# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+
+## Installation and management of software
+# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
+
+## Services
+# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
+
+## Updating the locate database
+# Cmnd_Alias LOCATE = /usr/bin/updatedb
+
+## Storage
+# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
+
+## Delegating permissions
+# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
+
+## Processes
+# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
+
+## Drivers
+# Cmnd_Alias DRIVERS = /sbin/modprobe
+
+# Defaults specification
+
+#
+# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
+# You have to run "ssh -t hostname sudo <cmd>".
+#
+Defaults requiretty
+
+Defaults env_reset
+Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
+Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+## Next comes the main part: which users can run what software on
+## which machines (the sudoers file can be shared between multiple
+## systems).
+## Syntax:
+##
+## user MACHINE=COMMANDS
+##
+## The COMMANDS section may have other options added to it.
+##
+## Allow root to run any commands anywhere
+root ALL=(ALL) ALL
+lfadmin ALL=(ALL) ALL
+
+## Allows members of the 'sys' group to run networking, software,
+## service management apps and more.
+# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
+
+## Allows people in group wheel to run all commands
+%wheel ALL=(ALL) ALL
+
+## Same thing without a password
+# %wheel ALL=(ALL) NOPASSWD: ALL
+
+## Allows members of the users group to mount and unmount the
+## cdrom as root
+# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
+
+## Allows members of the users group to shutdown this system
+# %users localhost=/sbin/shutdown -h now
+
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d
=== added file 'modules/sudo/files/sudoers/default-sles11'
--- a/modules/sudo/files/sudoers/default-sles11 1970-01-01 00:00:00 +0000
+++ b/modules/sudo/files/sudoers/default-sles11 2012-01-22 22:09:53 +0000
@@ -0,0 +1,42 @@
+# sudoers file.
+#
+# This file MUST be edited with the 'visudo' command as root.
+# Failure to use 'visudo' may result in syntax or file permission errors
+# that prevent sudo from running.
+#
+# See the sudoers man page for the details on how to write a sudoers file.
+#
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# Defaults specification
+
+# Prevent environment variables from influencing programs in an
+# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+Defaults env_reset
+# Change env_reset to !env_reset in previous line to keep all environment variables
+# Following list will no longer be necessary after this change
+
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+# Comment out the preceding line and uncomment the following one if you need
+# to use special input methods. This may allow users to compromise the root
+# account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+
+# In the default (unconfigured) configuration, sudo asks for the root password.
+# This allows use of an ordinary user account for administration of a freshly
+# installed system. When configuring sudo, delete the two
+# following lines:
+#Defaults targetpw
+#ALL ALL = (ALL) ALL
+
+# Runas alias specification
+
+# User privilege specification
+root ALL = (ALL) ALL
+lfadmin ALL = (ALL) ALL
=== added file 'modules/sudo/files/sudoers/lsb1.linux-foundation.org'
--- a/modules/sudo/files/sudoers/lsb1.linux-foundation.org 1970-01-01 00:00:00 +0000
+++ b/modules/sudo/files/sudoers/lsb1.linux-foundation.org 2012-01-22 22:09:53 +0000
@@ -0,0 +1,42 @@
+# sudoers file.
+#
+# This file MUST be edited with the 'visudo' command as root.
+# Failure to use 'visudo' may result in syntax or file permission errors
+# that prevent sudo from running.
+#
+# See the sudoers man page for the details on how to write a sudoers file.
+#
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# Defaults specification
+
+# Prevent environment variables from influencing programs in an
+# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+Defaults env_reset
+# Change env_reset to !env_reset in previous line to keep all environment variables
+# Following list will no longer be necessary after this change
+
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+# Comment out the preceding line and uncomment the following one if you need
+# to use special input methods. This may allow users to compromise the root
+# account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+
+# In the default (unconfigured) configuration, sudo asks for the root password.
+# This allows use of an ordinary user account for administration of a freshly
+# installed system. When configuring sudo, delete the two
+# following lines:
+#Defaults targetpw
+#ALL ALL = (ALL) ALL
+
+# Runas alias specification
+
+# User privilege specification
+root ALL = (ALL) ALL
+lfadmin ALL = (ALL) ALL
=== added directory 'modules/sudo/manifests'
=== added file 'modules/sudo/manifests/init.pp'
--- a/modules/sudo/manifests/init.pp 1970-01-01 00:00:00 +0000
+++ b/modules/sudo/manifests/init.pp 2012-01-22 22:09:53 +0000
@@ -0,0 +1,21 @@
+class sudo {
+
+ $osdefault = "$operatingsystem-$operatingsystemrelease" ? {
+ /^(CentOS|RedHat)-5\.[0-9]+$/ => 'default-el5',
+ /^(CentOS|RedHat)-6(\.[0-9]+)?$/ => 'default-el6',
+ /^Fedora-1[5-9]$/ => 'default-fedora',
+ /^SLES-11\.?[0-9]*$/ => 'default-sles11',
+ }
+
+ package { sudo: ensure => latest }
+
+ file { "/etc/sudoers":
+ owner => root,
+ group => root,
+ mode => 0440,
+ source => [ "puppet:///modules/sudo/sudoers/$fqdn",
+ "puppet:///modules/sudo/sudoers/default-$osdefault" ],
+ require => Package["sudo"],
+ }
+
+}
More information about the lsb-messages
mailing list