cookbook 'sudo', '= 3.2.0'
The sudo cookbook has been deprecated
Author provided reason for deprecation:
The sudo cookbook has been deprecated and is no longer being maintained by its authors. Use of the sudo cookbook is no longer recommended.
sudo
(57) Versions
3.2.0
-
-
5.4.7
-
5.4.6
-
5.4.5
-
5.4.4
-
5.4.3
-
5.4.2
-
5.4.1
-
5.4.0
-
5.3.3
-
5.3.2
-
5.3.1
-
5.3.0
-
5.2.0
-
5.1.0
-
5.0.0
-
4.0.1
-
4.0.0
-
3.5.3
-
3.5.2
-
3.5.1
-
3.5.0
-
3.4.0
-
3.3.1
-
3.3.0
-
3.2.0
-
3.1.0
-
3.0.0
-
2.11.0
-
2.10.0
-
2.9.0
-
2.8.0
-
2.7.2
-
2.7.1
-
2.7.0
-
2.6.0
-
2.5.2
-
2.5.0
-
2.4.2
-
2.4.0
-
2.3.0
-
2.2.2
-
2.2.0
-
2.1.4
-
2.1.2
-
2.1.0
-
2.0.4
-
2.0.2
-
2.0.0
-
1.3.0
-
1.2.2
-
1.2.0
-
1.1.0
-
1.0.2
-
1.0.0
-
0.9.1
-
0.9.0
-
0.7.0
Follow263
- 5.4.7
- 5.4.6
- 5.4.5
- 5.4.4
- 5.4.3
- 5.4.2
- 5.4.1
- 5.4.0
- 5.3.3
- 5.3.2
- 5.3.1
- 5.3.0
- 5.2.0
- 5.1.0
- 5.0.0
- 4.0.1
- 4.0.0
- 3.5.3
- 3.5.2
- 3.5.1
- 3.5.0
- 3.4.0
- 3.3.1
- 3.3.0
- 3.2.0
- 3.1.0
- 3.0.0
- 2.11.0
- 2.10.0
- 2.9.0
- 2.8.0
- 2.7.2
- 2.7.1
- 2.7.0
- 2.6.0
- 2.5.2
- 2.5.0
- 2.4.2
- 2.4.0
- 2.3.0
- 2.2.2
- 2.2.0
- 2.1.4
- 2.1.2
- 2.1.0
- 2.0.4
- 2.0.2
- 2.0.0
- 1.3.0
- 1.2.2
- 1.2.0
- 1.1.0
- 1.0.2
- 1.0.0
- 0.9.1
- 0.9.0
- 0.7.0
Installs sudo and configures /etc/sudoers
cookbook 'sudo', '= 3.2.0', :supermarket
knife supermarket install sudo
knife supermarket download sudo
sudo cookbook
The Chef sudo
cookbook installs the sudo
package and configures the /etc/sudoers
file.
It also exposes an LWRP for adding and managing sudoers.
Requirements
Platforms
- Debian/Ubuntu
- RHEL/CentOS/Scientific/Amazon/Oracle
- FreeBSD
- Mac OS X
- openSUSE / Suse
Chef
- Chef 12.1+
Cookbooks
- None
Attributes
-
node['authorization']['sudo']['groups']
- groups to enable sudo access (default:[ "sysadmin" ]
) -
node['authorization']['sudo']['users']
- users to enable sudo access (default:[]
) -
node['authorization']['sudo']['passwordless']
- use passwordless sudo (default:false
) -
node['authorization']['sudo']['include_sudoers_d']
- include and manage/etc/sudoers.d
(default:false
) -
node['authorization']['sudo']['agent_forwarding']
- preserveSSH_AUTH_SOCK
when sudoing (default:false
) -
node['authorization']['sudo']['sudoers_defaults']
- Array ofDefaults
entries to configure in/etc/sudoers
-
node['authorization']['sudo']['setenv']
- Whether to permit preserving of environment withsudo -E
(default:false
)
Usage
Attributes
To use attributes for defining sudoers, set the attributes above on the node (or role) itself:
{ "default_attributes": { "authorization": { "sudo": { "groups": ["admin", "wheel", "sysadmin"], "users": ["jerry", "greg"], "passwordless": "true" } } } }
{ "default_attributes": { "authorization": { "sudo": { "command_aliases": { "name": "TEST", "command_list": [ "/usr/bin/ls", "/usr/bin/cat" ] }, "custom_commands": { "users": [ { "user": "test_user", "passwordless": true, "command_list": [ "TEST" ] } ], "groups": [ { "group": "test_group", "passwordless": false, "command_list": [ "TEST" ] } ] } } } } }
# roles/example.rb default_attributes( "authorization" => { "sudo" => { "groups" => ["admin", "wheel", "sysadmin"], "users" => ["jerry", "greg"], "passwordless" => true } } )
Note that the template for the sudoers file has the group "sysadmin" with ALL:ALL permission, though the group by default does not exist.
Sudoers Defaults
Configure a node attribute, node['authorization']['sudo']['sudoers_defaults']
as an array of Defaults
entries to configure in /etc/sudoers
. A list of examples for common platforms is listed below:
Debian
node.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']
Ubuntu 10.04
node.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']
Ubuntu 12.04
node.default['authorization']['sudo']['sudoers_defaults'] = [ 'env_reset', 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' ]
FreeBSD
node.default['authorization']['sudo']['sudoers_defaults'] = [ 'env_reset', 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' ]
RHEL family 5.x The version of sudo in RHEL 5 may not support +=
, as used in env_keep
, so its a single string.
node.default['authorization']['sudo']['sudoers_defaults'] = [ '!visiblepw', 'env_reset', 'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY"' ]
RHEL family 6.x
node.default['authorization']['sudo']['sudoers_defaults'] = [ '!visiblepw', 'env_reset', 'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"', 'env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"', 'env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"', 'env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"', 'env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"', 'env_keep += "HOME"', 'always_set_home', 'secure_path = /sbin:/bin:/usr/sbin:/usr/bin' ]
Mac OS X
node.default['authorization']['sudo']['sudoers_defaults'] = [ 'env_reset', 'env_keep += "BLOCKSIZE"', 'env_keep += "COLORFGBG COLORTERM"', 'env_keep += "__CF_USER_TEXT_ENCODING"', 'env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"', 'env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"', 'env_keep += "LINES COLUMNS"', 'env_keep += "LSCOLORS"', 'env_keep += "TZ"', 'env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"', 'env_keep += "EDITOR VISUAL"', 'env_keep += "HOME MAIL"' ]
LWRP
Note Sudo version 1.7.2 or newer is required to use the sudo LWRP as it relies on the "#includedir" directive introduced in version 1.7.2. The recipe does not enforce installing the version. To use this LWRP, set node['authorization']['sudo']['include_sudoers_d']
to true
.
There are two ways for rendering a sudoer-fragment using this LWRP:
1. Using the built-in template
2. Using a custom, cookbook-level template
Both methods will create the /etc/sudoers.d/#{resourcename}
file with the correct permissions.
The LWRP also performs fragment validation. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).
Example using the built-in template:
sudo 'tomcat' do user "%tomcat" # or a username runas 'app_user' # or 'app_user:tomcat' commands ['/etc/init.d/tomcat restart'] end
sudo 'tomcat' do template 'my_tomcat.erb' # local cookbook template variables :cmds => ['/etc/init.d/tomcat restart'] end
In either case, the following file would be generated in /etc/sudoers.d/tomcat
# This file is managed by Chef for node.example.com # Do NOT modify this file directly. %tomcat ALL=(app_user) /etc/init.d/tomcat restart
LWRP Attributes
<table>
<thead>
<tr>
<th>Attribute</th>
<th>Description</th>
<th>Example</th>
<th>Default</th>
</tr>
</thead>
<tbody>
<tr>
<td>name</td>
<td>name of the /etc/sudoers.d
file</td>
<td><tt>restart-tomcat</tt></td>
<td>current resource name</td>
</tr>
<tr>
<td>commands</td>
<td>array of commands this sudoer can execute</td>
<td><tt>['/etc/init.d/tomcat restart']</tt></td>
<td><tt>['ALL']</tt></td>
</tr>
<tr>
<td>group</td>
<td>group to provide sudo privileges to, except %
is prepended to the name in
case it is not already</td>
<td><tt>%admin</tt></td>
<td></td>
</tr>
<tr>
<td>nopasswd</td>
<td>supply a password to invoke sudo</td>
<td><tt>true</tt></td>
<td><tt>false</tt></td>
</tr>
<tr>
<td>noexec</td>
<td>prevents commands from shelling out</td>
<td><tt>true</tt></td>
<td><tt>false</tt></td>
</tr>
<tr>
<td>runas</td>
<td>User the command(s) can be run as</td>
<td><tt>root</tt></td>
<td><tt>ALL</tt></td>
</tr>
<tr>
<td>template</td>
<td>the erb template to render instead of the default</td>
<td><tt>restart-tomcat.erb</tt></td>
<td></td>
</tr>
<tr>
<td>user</td>
<td>user to provide sudo privileges to</td>
<td><tt>tomcat</tt></td>
<td></td>
</tr>
<tr>
<td>defaults</td>
<td>array of defaults this user has</td>
<td><tt>['!requiretty','env_reset']</tt></td>
<td></td>
</tr>
<tr>
<td>setenv</td>
<td>whether to permit the preserving of environment with sudo -E
</td>
<td><tt>true</tt></td>
<td><tt><false></tt></td>
</tr>
<tr>
<td>env_keep_add</td>
<td>array of strings to add to env_keep</td>
<td><tt>['HOME', 'MY_ENV_VAR MY_OTHER_ENV_VAR']</tt></td>
<td></td>
</tr>
<tr>
<td>env_keep_subtract</td>
<td>array of strings to remove from env_keep</td>
<td><tt>['DISPLAY', 'MY_SECURE_ENV_VAR']</tt></td>
<td></td>
</tr>
<tr>
<td>variables</td>
<td>the variables to pass to the custom template</td>
<td><tt>:commands => ['/etc/init.d/tomcat restart']</tt></td>
<td></td>
</tr>
</tbody>
</table>
If you use the template attribute, all other attributes will be ignored except for the variables attribute.
Development
This section details "quick development" steps. For a detailed explanation, see [[Contributing.md]].
- Clone this repository from GitHub:
$ git clone git@github.com:chef-cookbooks/sudo.git
- Create a git branch
$ git checkout -b my_bug_fix
- Install dependencies:
$ bundle install
- Make your changes/patches/fixes, committing appropiately
- Write tests
-
Run the tests:
bundle exec foodcritic -f any .
bundle exec rspec
bundle exec rubocop
bundle exec kitchen test
In detail:
- Foodcritic will catch any Chef-specific style errors
- RSpec will run the unit tests
- Rubocop will check for Ruby-specific style errors
- Test Kitchen will run and converge the recipes
License & Authors
Author: Bryan W. Berry bryan.berry@gmail.com
Author: Cookbook Engineering Team (cookbooks@chef.io)
Copyright: 2008-2016, Chef Software, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
sudo Cookbook CHANGELOG
This file is used to list changes made in each version of the sudo cookbook.
3.2.0 (2016-12-27)
- Convert ~ to __ like we do for i (sudoers.d files)
3.1.0 (2016-10-24)
- add attribute custom_commands for user and group
3.0.0 (2016-09-08)
- Testing updates
- Require Chef 12.1+
2.11.0 (2016-08-09)
- Add support for NOEXEC flag
v2.10.0 (2016-08-04)
- Added a warning to the LWRP if include_sudoers_d is set to false
- Enabled use_inline_resources in the LWRP
- Added IBM zlinux as a supported platform
- Added suse, opensuse, and opensuseleap to the metadata as they are now tested platforms
- Added chef_version metadata to metadata.rb
- Removed attributes from the metadata.rb as this serves little purpose
- Converted bats integration tests to inspec
- Switched from rubocop to cookstyle for Ruby linting
- Removed the need for the apt cookbook in the test suite by using the apt_update resource instead
- Switched from kitchen-docker to kitchen-dokken and enabled Debian/Opensuse platforms in Travis
v2.9.0 (2016-02-07)
- Updated the provider to avoid writing out config files with periods in the filename when a user has a period in their name as these are skipped by the sudo package. A sudo config for invalid.user will write out a config named invalid_user now.
v2.8.0 (2016-02-04)
- Added a new attribute to the recipe and provider for adding SETENV to sudoer config
- Updated development deps to the latest version
- Setup test kitchen to run in Travis with kitchen-docker
- Expanded the kitchen.yml config to include additional platforms
- Renamed the test recipe from fake to test
- Updated the testing and contributing docs to the latest
- Added maintainers.toml and maitainers.md
- Added a chefignore file to limit which files get uploaded to the chef server
- Added long_description to the metadata.rb
- Added source_url and issues_url for Supermarket to the metadata.rb
- Resolved all Rubocop warnings
- Updated the Chefspec to the 4.x format
- Removed kitchen cloud testing configs and gem deps
- Removed the Guardfile and the gem deps
v2.7.2 (2015-07-10)
- Adding support for keep_env
- misc cleanup
v2.7.1 (2014-09-18)
- [#53] - removed double space from sudoer.erb template
v2.7.0 (2014-08-08)
- [#44] Add basic ChefSpec matchers
v2.6.0 (2014-05-15)
- [COOK-4612] Add support for the command alias (Cmnd_Alias) directive
- [COOK-4637] - handle duplicate resources in LWRP
v2.5.2 (2014-02-27)
Bumping version for toolchain sanity
v2.5.0 (2014-02-27)
Bumping to 2.5.0
v2.4.2 (2014-02-27)
[COOK-4350] - Fix issue with "Defaults" line in sudoer.erb
v2.4.0 (2014-02-18)
BREAKING CHANGE: The sysadmin
group has been removed from the template. You will lose sudo access if:
- You have users that depend on the sysadmin group for sudo access, and
- You are overriding authorization.sudo.groups, but not including
sysadmin
in the list of groups
Bug
- COOK-4225 - Mac OS X: /etc/sudoers: syntax error when include_sudoers_d is true
Improvement
- COOK-4014 - It should be possible to remove the 'sysadmin' group setting from /etc/sudoers
- COOK-3643 - FreeBSD support for sudo cookbook
New Feature
- COOK-3409 - enhance sudo lwrp's default template to allow defining default user parameters
v2.3.0
Improvement
- COOK-3843 - Make cookbook 'sudo' compatible with Mac OS X
v2.2.2
Improvement
- COOK-3653 - Change template attribute to kind_of String
- COOK-3572 - Add Test Kitchen, Specs, and Travis CI
Bug
- COOK-3610 - Document "Runas" attribute not described in the LWRP Attributes section
-
COOK-3431 - Validate correctly with
visudo
v2.2.0
New Feature
- COOK-3056 - Allow custom sudoers config prefix
v2.1.4
This is a bugfix for 11.6.0 compatibility, as we're not monkey-patching Erubis::Context.
Bug
- [COOK-3399]: Remove node attribute in comment of sudoers templates
v2.1.2
Bug
- [COOK-2388]: Chef::ShellOut is deprecated, please use Mixlib::ShellOut
- [COOK-2814]: Incorrect syntax in README example
v2.1.0
- [COOK-2388] - Chef::ShellOut is deprecated, please use Mixlib::ShellOut
- [COOK-2427] - unable to install users cookbook in chef 11
- [COOK-2814] - Incorrect syntax in README example
v2.0.4
- [COOK-2078] - syntax highlighting README on GitHub flavored markdown
- [COOK-2119] - LWRP template doesn't support multiple commands in a single block.
v2.0.2
- [COOK-2109] - lwrp uses incorrect action on underlying file resource.
v2.0.0
This is a major release because the LWRP's "nopasswd" attribute is changed from true to false, to match the passwordless attribute in the attributes file. This requires a change to people's LWRP use.
- [COOK-2085] - Incorrect default value in the sudo LWRP's nopasswd attribute
v1.3.0
- [COOK-1892] - Revamp sudo cookbook and LWRP
- [COOK-2022] - add an attribute for setting /etc/sudoers Defaults
v1.2.2
- [COOK-1628] - set host in sudo lwrp
v1.2.0
- [COOK-1314] - default package action is now :install instead of :upgrade
- [COOK-1549] - Preserve SSH agent credentials upon sudo using an attribute
v1.1.0
- [COOK-350] - LWRP to manage sudo files via include dir (/etc/sudoers.d)
v1.0.2
- [COOK-903] - freebsd support
Collaborator Number Metric
3.2.0 passed this metric
Foodcritic Metric
3.2.0 passed this metric
License Metric
3.2.0 passed this metric
3.2.0 passed this metric
3.2.0 passed this metric
License Metric
3.2.0 passed this metric
3.2.0 passed this metric