Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

The sudo cookbook has been deprecated

Author provided reason for deprecation:

The sudo cookbook has been deprecated and is no longer being maintained by its authors. Use of the sudo cookbook is no longer recommended.

RSS

sudo (57) Versions 2.7.1

Installs sudo and configures /etc/sudoers

Policyfile
Berkshelf
Knife
cookbook 'sudo', '= 2.7.1', :supermarket
cookbook 'sudo', '= 2.7.1'
knife supermarket install sudo
knife supermarket download sudo
README
Dependencies
Changelog
Quality 100%

sudo cookbook

Build Status

The Chef sudo cookbook installs the sudo package and configures the /etc/sudoers file.

It also exposes an LWRP for adding and managing sudoers.

Requirements

The platform has a package named sudo and the sudoers file is /etc/sudoers.

Attributes

  • node['authorization']['sudo']['groups'] - groups to enable sudo access (default: [ "sysadmin" ])
  • node['authorization']['sudo']['users'] - users to enable sudo access (default: [])
  • node['authorization']['sudo']['passwordless'] - use passwordless sudo (default: false)
  • node['authorization']['sudo']['include_sudoers_d'] - include and manager /etc/sudoers.d (default: false)
  • node['authorization']['sudo']['agent_forwarding'] - preserve SSH_AUTH_SOCK when sudoing (default: false)
  • node['authorization']['sudo']['sudoers_defaults'] - Array of Defaults entries to configure in /etc/sudoers

Usage

Attributes

To use attributes for defining sudoers, set the attributes above on the node (or role) itself:

{
  "default_attributes": {
    "authorization": {
      "sudo": {
        "groups": ["admin", "wheel", "sysadmin"],
        "users": ["jerry", "greg"],
        "passwordless": "true"
      }
    }
  }
}
# roles/example.rb
default_attributes(
  "authorization" => {
    "sudo" => {
      "groups" => ["admin", "wheel", "sysadmin"],
      "users" => ["jerry", "greg"],
      "passwordless" => true
    }
  }
)

Note that the template for the sudoers file has the group "sysadmin" with ALL:ALL permission, though the group by default does not exist.

Sudoers Defaults

Configure a node attribute,
node['authorization']['sudo']['sudoers_defaults'] as an array of
Defaults entries to configure in /etc/sudoers. A list of examples
for common platforms is listed below:

Debian
ruby
node.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']

Ubuntu 10.04
ruby
node.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']

Ubuntu 12.04
ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'env_reset',
'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
]

FreeBSD
ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'env_reset',
'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
]

RHEL family 5.x
The version of sudo in RHEL 5 may not support +=, as used in env_keep, so its a single string.

node.default['authorization']['sudo']['sudoers_defaults'] = [
  '!visiblepw',
  'env_reset',
  'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
               LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
               LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
               LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
               LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
               _XKB_CHARSET XAUTHORITY"'
]

RHEL family 6.x
ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'!visiblepw',
'env_reset',
'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"',
'env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"',
'env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"',
'env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"',
'env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"',
'env_keep += "HOME"',
'always_set_home',
'secure_path = /sbin:/bin:/usr/sbin:/usr/bin'
]

Mac OS X
ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'env_reset',
'env_keep += "BLOCKSIZE"',
'env_keep += "COLORFGBG COLORTERM"',
'env_keep += "__CF_USER_TEXT_ENCODING"',
'env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"',
'env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"',
'env_keep += "LINES COLUMNS"',
'env_keep += "LSCOLORS"',
'env_keep += "TZ"',
'env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"',
'env_keep += "EDITOR VISUAL"',
'env_keep += "HOME MAIL"'
]

LWRP

Note Sudo version 1.7.2 or newer is required to use the sudo LWRP as it relies on the "#includedir" directive introduced in version 1.7.2. The recipe does not enforce installing the version. To use this LWRP, set node['authorization']['sudo']['include_sudoers_d'] to true.

There are two ways for rendering a sudoer-fragment using this LWRP:

  1. Using the built-in template
  2. Using a custom, cookbook-level template

Both methods will create the /etc/sudoers.d/#{username} file with the correct permissions.

The LWRP also performs fragment validation. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).

Example using the built-in template:

sudo 'tomcat' do
  user      "%tomcat"    # or a username
  runas     'app_user'   # or 'app_user:tomcat'
  commands  ['/etc/init.d/tomcat restart']
end
sudo 'tomcat' do
  template    'my_tomcat.erb' # local cookbook template
  variables   :cmds => ['/etc/init.d/tomcat restart']
end

In either case, the following file would be generated in /etc/sudoers.d/tomcat

# This file is managed by Chef for node.example.com
# Do NOT modify this file directly.

%tomcat ALL=(app_user) /etc/init.d/tomcat restart
LWRP Attributes

<table>
<thead>
<tr>
<th>Attribute</th>
<th>Description</th>
<th>Example</th>
<th>Default</th>
</tr>
</thead>

<tbody>
<tr>
<td>name</td>
<td>name of the /etc/sudoers.d file</td>
<td><tt>restart-tomcat</tt></td>
<td>current resource name</td>
</tr>
<tr>
<td>commands</td>
<td>array of commands this sudoer can execute</td>
<td><tt>['/etc/init.d/tomcat restart']</tt></td>
<td><tt>['ALL']</tt></td>
</tr>
<tr>
<td>group</td>
<td>group to provide sudo privileges to, except % is prepended to the name in
case it is not already</td>
<td><tt>%admin</tt></td>
<td></td>
</tr>
<tr>
<td>nopasswd</td>
<td>supply a password to invoke sudo</td>
<td><tt>true</tt></td>
<td><tt>false</tt></td>
</tr>
<tr>
<td>runas</td>
<td>User the command(s) can be run as</td>
<td><tt>root</tt></td>
<td><tt>ALL</tt></td>
</tr>
<tr>
<td>template</td>
<td>the erb template to render instead of the default</td>
<td><tt>restart-tomcat.erb</tt></td>
<td></td>
</tr>
<tr>
<td>user</td>
<td>user to provide sudo privileges to</td>
<td><tt>tomcat</tt></td>
<td></td>
</tr>
<tr>
<td>defaults</td>
<td>array of defaults this user has</td>
<td><tt>['!requiretty','env_reset']</tt></td>
<td></td>
</tr>
<tr>
<td>variables</td>
<td>the variables to pass to the custom template</td>
<td><tt>:commands => ['/etc/init.d/tomcat restart']</tt></td>
<td></td>
</tr>
</tbody>
</table>

If you use the template attribute, all other attributes will be ignored except for the variables attribute.

Development

This section details "quick development" steps. For a detailed explanation, see [[Contributing.md]].

  1. Clone this repository from GitHub:

    $ git clone git@github.com:opscode-cookbooks/sudo.git
    
  2. Create a git branch

    $ git checkout -b my_bug_fix
    
  3. Install dependencies:

    $ bundle install
    
  4. Make your changes/patches/fixes, committing appropiately

  5. Write tests

  6. Run the tests:

    • bundle exec foodcritic -f any .
    • bundle exec rspec
    • bundle exec rubocop
    • bundle exec kitchen test

    In detail:
    - Foodcritic will catch any Chef-specific style errors
    - RSpec will run the unit tests
    - Rubocop will check for Ruby-specific style errors
    - Test Kitchen will run and converge the recipes

License and Authors

Copyright 2009-2012, Opscode, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

ad-auth Applicable Versions
ad-likewise Applicable Versions
admin-user Applicable Versions
aegir Applicable Versions
alfresco-transformations Applicable Versions
ama-linux-user-management Applicable Versions
amoeba_basenode Applicable Versions
appbox Applicable Versions
backuppc-client Applicable Versions
backuppc-server Applicable Versions
base_install Applicable Versions
cafe-core Applicable Versions
cassandra-priam Applicable Versions
chef-manageiq Applicable Versions
chef_rvm Applicable Versions
cloudera-manager Applicable Versions
cloudstack Applicable Versions
cobbpass Applicable Versions
common_auth Applicable Versions
crenv Applicable Versions
ctfhooks Applicable Versions
deis Applicable Versions
deployer Applicable Versions
devstack Applicable Versions
dokku Applicable Versions
dotnet-core Applicable Versions
enstratius_agent_proxy Applicable Versions
et_haproxy Applicable Versions
foreflight_build_agent Applicable Versions
github_users Applicable Versions
gitlab Applicable Versions
gitlabhq Applicable Versions
iptables_web Applicable Versions
kagent Applicable Versions
likewise Applicable Versions
magentostack Applicable Versions
minecraft Applicable Versions
monitor Applicable Versions
mw_server_base Applicable Versions
mysql-mha Applicable Versions
nodestack Applicable Versions
opsworks_ruby Applicable Versions
paramount Applicable Versions
pipeline Applicable Versions
platformstack Applicable Versions
rack_user Applicable Versions
rackconnect Applicable Versions
rackops_rolebook Applicable Versions
rackspace_support Applicable Versions
rackspace_users Applicable Versions
rdiff-backup Applicable Versions
ruby_rvm Applicable Versions
rundeck Applicable Versions
rundeck-node Applicable Versions
spacewalk-server Applicable Versions
stackstorm Applicable Versions
sudo_rules Applicable Versions
system_users Applicable Versions
tfchefint Applicable Versions
ut_base Applicable Versions
vslinko Applicable Versions
vsts_agent_macos Applicable Versions
zabbix_ng Applicable Versions

v2.7.1 (2014-09-18)

  • [#53] - removed doublespace from sudoer.erb template

v2.7.0 (2014-08-08)

  • [#44] Add basic ChefSpec matchers

v2.6.0 (2014-05-15)

  • [COOK-4612] Add support for the command alias (Cmnd_Alias) directive
  • [COOK-4637] - handle duplicate resources in LWRP

v2.5.2 (2014-02-27)

Bumping version for toolchain sanity

v2.5.0 (2014-02-27)

Bumping to 2.5.0

v2.4.2 (2014-02-27)

[COOK-4350] - Fix issue with "Defaults" line in sudoer.erb

v2.4.0 (2014-02-18)

Bug

  • COOK-4225 - Mac OS X: /etc/sudoers: syntax error when include_sudoers_d is true

Improvement

  • COOK-4014 - It should be possible to remove the 'sysadmin' group setting from /etc/sudoers
  • COOK-3643 - FreeBSD support for sudo cookbook

New Feature

  • COOK-3409 - enhance sudo lwrp's default template to allow defining default user parameters

v2.3.0

Improvement

  • COOK-3843 - Make cookbook 'sudo' compatible with Mac OS X

v2.2.2

Improvement

  • COOK-3653 - Change template attribute to kind_of String
  • COOK-3572 - Add Test Kitchen, Specs, and Travis CI

Bug

  • COOK-3610 - Document "Runas" attribute not described in the LWRP Attributes section
  • COOK-3431 - Validate correctly with visudo

v2.2.0

New Feature

  • COOK-3056 - Allow custom sudoers config prefix

v2.1.4

This is a bugfix for 11.6.0 compatibility, as we're not monkey-patching Erubis::Context.

Bug

  • [COOK-3399]: Remove node attribute in comment of sudoers templates

v2.1.2

Bug

  • [COOK-2388]: Chef::ShellOut is deprecated, please use Mixlib::ShellOut
  • [COOK-2814]: Incorrect syntax in README example

v2.1.0

  • [COOK-2388] - Chef::ShellOut is deprecated, please use Mixlib::ShellOut
  • [COOK-2427] - unable to install users cookbook in chef 11
  • [COOK-2814] - Incorrect syntax in README example

v2.0.4

  • [COOK-2078] - syntax highlighting README on GitHub flavored markdown
  • [COOK-2119] - LWRP template doesn't support multiple commands in a single block.

v2.0.2

  • [COOK-2109] - lwrp uses incorrect action on underlying file resource.

v2.0.0

This is a major release because the LWRP's "nopasswd" attribute is changed from true to false, to match the passwordless attribute in the attributes file. This requires a change to people's LWRP use.

  • [COOK-2085] - Incorrect default value in the sudo LWRP's nopasswd attribute

v1.3.0

  • [COOK-1892] - Revamp sudo cookbook and LWRP
  • [COOK-2022] - add an attribute for setting /etc/sudoers Defaults

v1.2.2

  • [COOK-1628] - set host in sudo lwrp

v1.2.0

  • [COOK-1314] - default package action is now :install instead of :upgrade
  • [COOK-1549] - Preserve SSH agent credentials upon sudo using an attribute

v1.1.0

  • [COOK-350] - LWRP to manage sudo files via includedir (/etc/sudoers.d)

v1.0.2

  • [COOK-903] - freebsd support

Foodcritic Metric
            

2.7.1 passed this metric