oefenweb / ansible-sudoers Goto Github PK
View Code? Open in Web Editor NEWAnsible role to manage sudoers and sudoers.d in Debian-like systems
License: MIT License
Ansible role to manage sudoers and sudoers.d in Debian-like systems
License: MIT License
Hi
Thanks for a well-crafted ansible role.
I'm having a problem when using it on Debian Jessie though. I get this error:
[Errno 2] No such file or directory
when this task is being run:
TASK [tersmitten.sudoers : update global configuration file] *******************
The problem seems to be that the ansible template module is not allowed to modify the sudoers file.
I have a similar problem with a file in the sudoers.d dir, which could be worked around by removing the file (file state: absent) just before the template task.
However, this will not work with the global file, since removing that would render any sudo command (including those from ansible) useless.
Do you have an idea on how to solve this ?
Ubuntu 12.04
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Ubuntu 14.04
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Ubuntu 16.04
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Debian 7
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Debian 8
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
For security purpose, the permissions of /etc/sudoers.d should probably be set to 0750. It would be a nice addition to the role. If you agree with that, I can probably make a pull request.
From man sudoers
on Ubuntu Xenial:
Defaults
Certain configuration options may be changed from their default values at run-time via one or more Default_Entry lines. These may affect all users on any host, all users on a specific host, a
specific user, a specific command, or commands being run as a specific user. Note that per-command entries may not include command line arguments. If you need to specify arguments, define a
Cmnd_Alias and reference that instead.
Default_Type ::= 'Defaults' |
'Defaults' '@' Host_List |
'Defaults' ':' User_List |
'Defaults' '!' Cmnd_List |
'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List
Parameter_List ::= Parameter |
Parameter ',' Parameter_List
Parameter ::= Parameter '=' Value |
Parameter '+=' Value |
Parameter '-=' Value |
'!'* Parameter
...
...
Defaults entries are parsed in the following order: generic, host, user and runas Defaults first, then command defaults. If there are multiple Defaults settings of the same type, the last
matching setting is used. The following Defaults settings are parsed before all others since they may affect subsequent entries: fqdn, group_plugin, runas_default, sudoers_locale.
See SUDOERS OPTIONS for a list of supported Defaults parameters.
It would be great if this role supported Host/User/Cmnd/Runas defaults as well. The current templates:
ansible-sudoers/templates/etc/sudoers.j2
Line 12 in 03a3615
make it not possible. Note that an extra space between Defaults
and the special characters are not accepted by sudo (e.g. Defaults : !MY_COMMAND !requiretty
is rejected by sudo as syntax error.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.