Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

The sudo cookbook has been deprecated

Author provided reason for deprecation:

The sudo cookbook has been deprecated and is no longer being maintained by its authors. Use of the sudo cookbook is no longer recommended.


sudo (57) Versions 4.0.1

Installs sudo and configures /etc/sudoers

cookbook 'sudo', '= 4.0.1', :supermarket
cookbook 'sudo', '= 4.0.1'
knife supermarket install sudo
knife supermarket download sudo
Quality 100%

sudo cookbook

Build Status Cookbook Version

The default recipe installs the sudo package and configures the /etc/sudoers file. The cookbook also includes a sudo resource to adding and removing individual sudo entries.



  • Debian/Ubuntu
  • RHEL/CentOS/Scientific/Amazon/Oracle
  • Amazon Linux
  • FreeBSD
  • macOS
  • openSUSE / SUSE Enterprise


  • Chef 12.1+


  • None


  • node['authorization']['sudo']['groups'] - groups to enable sudo access (default: [])
  • node['authorization']['sudo']['users'] - users to enable sudo access (default: [])
  • node['authorization']['sudo']['passwordless'] - use passwordless sudo (default: false)
  • node['authorization']['sudo']['include_sudoers_d'] - include and manage /etc/sudoers.d (default: true on Linux systems. Note: older / EOL distros do not support this feature)
  • node['authorization']['sudo']['agent_forwarding'] - preserve SSH_AUTH_SOCK when sudoing (default: false)
  • node['authorization']['sudo']['sudoers_defaults'] - Array of Defaults entries to configure in /etc/sudoers
  • node['authorization']['sudo']['setenv'] - Whether to permit preserving of environment with sudo -E (default: false)



To use attributes for defining sudoers, set the attributes above on the node (or role) itself:

  "default_attributes": {
    "authorization": {
      "sudo": {
        "groups": ["admin", "wheel", "sysadmin"],
        "users": ["jerry", "greg"],
        "passwordless": "true"
  "default_attributes": {
    "authorization": {
      "sudo": {
        "command_aliases": [{
          "name": "TEST",
          "command_list": [
        "custom_commands": {
          "users": [
              "user": "test_user",
              "passwordless": true,
              "command_list": [
          "groups": [
              "group": "test_group",
              "passwordless": false,
              "command_list": [
# roles/example.rb
  "authorization" => {
    "sudo" => {
      "groups" => ["admin", "wheel", "sysadmin"],
      "users" => ["jerry", "greg"],
      "passwordless" => true

Note that the template for the sudoers file has the group "sysadmin" with ALL:ALL permission, though the group by default does not exist.

Sudoers Defaults

Configure a node attribute, node['authorization']['sudo']['sudoers_defaults'] as an array of Defaults entries to configure in /etc/sudoers. A list of examples for common platforms is listed below:


node.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']

Ubuntu 12.04

node.default['authorization']['sudo']['sudoers_defaults'] = [


node.default['authorization']['sudo']['sudoers_defaults'] = [

RHEL family 6.x

node.default['authorization']['sudo']['sudoers_defaults'] = [
  'env_keep += "HOME"',
  'secure_path = /sbin:/bin:/usr/sbin:/usr/bin'

Mac OS X

node.default['authorization']['sudo']['sudoers_defaults'] = [
  'env_keep += "BLOCKSIZE"',
  'env_keep += "COLORFGBG COLORTERM"',
  'env_keep += "__CF_USER_TEXT_ENCODING"',
  'env_keep += "LINES COLUMNS"',
  'env_keep += "LSCOLORS"',
  'env_keep += "TZ"',
  'env_keep += "EDITOR VISUAL"',
  'env_keep += "HOME MAIL"'

Sudo Resource

Note Sudo version 1.7.2 or newer is required to use the sudo LWRP as it relies on the "#includedir" directive introduced in version 1.7.2. The recipe does not enforce installing the version. Supported releases of Ubuntu, Debian and RHEL (6+) all support this feature.

There are two ways for rendering a sudoer-fragment using this LWRP:

  1. Using the built-in template
  2. Using a custom, cookbook-level template

Both methods will create the /etc/sudoers.d/#{resourcename} file with the correct permissions.

The LWRP also performs fragment validation. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).

Example using the built-in template:

sudo 'tomcat' do
  user      "%tomcat"    # or a username
  runas     'app_user'   # or 'app_user:tomcat'
  commands  ['/etc/init.d/tomcat restart']
sudo 'tomcat' do
  template    'my_tomcat.erb' # local cookbook template
  variables   :cmds => ['/etc/init.d/tomcat restart']

In either case, the following file would be generated in /etc/sudoers.d/tomcat

# This file is managed by Chef for
# Do NOT modify this file directly.

%tomcat ALL=(app_user) /etc/init.d/tomcat restart

Resource Properties

Attribute Description Example Default
name name of the /etc/sudoers.d file restart-tomcat current resource name
commands array of commands this sudoer can execute ['/etc/init.d/tomcat restart'] ['ALL']
group group to provide sudo privileges to, except % is prepended to the name in case it is not already %admin
nopasswd supply a password to invoke sudo true false
noexec prevents commands from shelling out true false
runas User the command(s) can be run as root ALL
template the erb template to render instead of the default restart-tomcat.erb
user user to provide sudo privileges to tomcat
defaults array of defaults this user has ['!requiretty','env_reset']
setenv whether to permit the preserving of environment with sudo -E true false
env_keep_add array of strings to add to env_keep ['HOME', 'MY_ENV_VAR MY_OTHER_ENV_VAR']
env_keep_subtract array of strings to remove from env_keep ['DISPLAY', 'MY_SECURE_ENV_VAR']
variables the variables to pass to the custom template commands: ['/etc/init.d/tomcat restart']

If you use the template attribute, all other attributes will be ignored except for the variables attribute.


This cookbook is maintained by Chef's Community Cookbook Engineering team. Our goal is to improve cookbook quality and to aid the community in contributing to cookbooks. To learn more about our team, process, and design goals see our team documentation. To learn more about contributing to cookbooks like this see our contributing documentation, or if you have general questions about this cookbook come chat with us in #cookbok-engineering on the Chef Community Slack


Copyright: 2008-2017, Chef Software, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

ad-auth Applicable Versions
ad-likewise Applicable Versions
admin-user Applicable Versions
aegir Applicable Versions
alfresco-transformations Applicable Versions
ama-linux-user-management Applicable Versions
amoeba_basenode Applicable Versions
appbox Applicable Versions
backuppc-client Applicable Versions
backuppc-server Applicable Versions
base_install Applicable Versions
cafe-core Applicable Versions
cassandra-priam Applicable Versions
chef-manageiq Applicable Versions
chef_rvm Applicable Versions
cloudera-manager Applicable Versions
cloudstack Applicable Versions
cobbpass Applicable Versions
common_auth Applicable Versions
crenv Applicable Versions
ctfhooks Applicable Versions
deis Applicable Versions
deployer Applicable Versions
devstack Applicable Versions
dokku Applicable Versions
dotnet-core Applicable Versions
enstratius_agent_proxy Applicable Versions
et_haproxy Applicable Versions
foreflight_build_agent Applicable Versions
github_users Applicable Versions
gitlab Applicable Versions
gitlabhq Applicable Versions
iptables_web Applicable Versions
kagent Applicable Versions
likewise Applicable Versions
magentostack Applicable Versions
minecraft Applicable Versions
monitor Applicable Versions
mw_server_base Applicable Versions
mysql-mha Applicable Versions
nodestack Applicable Versions
opsworks_ruby Applicable Versions
paramount Applicable Versions
pipeline Applicable Versions
platformstack Applicable Versions
rack_user Applicable Versions
rackconnect Applicable Versions
rackops_rolebook Applicable Versions
rackspace_support Applicable Versions
rackspace_users Applicable Versions
rdiff-backup Applicable Versions
ruby_rvm Applicable Versions
rundeck Applicable Versions
rundeck-node Applicable Versions
spacewalk-server Applicable Versions
stackstorm Applicable Versions
sudo_rules Applicable Versions
system_users Applicable Versions
tfchefint Applicable Versions
ut_base Applicable Versions
vslinko Applicable Versions
vsts_agent_macos Applicable Versions
zabbix_ng Applicable Versions

sudo Cookbook CHANGELOG

This file is used to list changes made in each version of the sudo cookbook.

4.0.1 (2018-02-16)

  • FIX: in templates the attribute "passwordless" and other with data type String always will be return true
  • Add an attribute for setting sudoers.d mode

4.0.0 (2017-11-28)

Breaking Changes

  • sudo .d functionality is now enabled by default on Linux systems. This allows the sudo resource to function with setting node['authorization']['sudo']['include_sudoers_d'] to true. Only some older / EoL distros this will break sudo functionality so make sure you test this and set it to false if you're running an EoL distro
  • The sysadmin group is no longer added to sudoers by default anymore. Historically many community cookbooks assumed all admins were in this sysadmins group. We've moved away from that assumption since it was a suprise to many when this group was added. If you rely on this behavior make sure to node['authorization']['sudo']['groups'] attribute to inlude the sysadmin group.

Other Changes

  • Remove the debian-isms from the sudo.d readme file which is copied onto multiple Linux systems
  • Remove an old RHEL 5 example from the readme
  • Fix ChefSpec warnings
  • Improve Travis testing and add Debian 9 testing
  • Setenv for restricted users
  • Improve visudo path resolution on non-Debian distros

3.5.3 (2017-07-09)

  • Add amazon linux to the metadata
  • Remove extra spaces in the sudoer template
  • Update platform names in the readme
  • Replace the HTML table with markdown

3.5.2 (2017-06-26)

  • Remove totally bogus "supports" attribute from the resource
  • Revert "Remove sysadmin from default groups". We'll handle this differently going forward. Sorry for the breakage

3.5.1 (2017-06-21)

  • Remove sysadmin from default groups as sysadmin is no longer a group we push via the users cookbook.

3.5.0 (2017-05-16)

  • Add sudo package management to resource

3.4.0 (2017-04-26)

  • Add lwrp support for only env_keep add/subtract
  • Readme improvements
  • Move the files out of the default directory since Chef >= 12 doesn't require this
  • Test with Local Delivery instead of Rake
  • Cookstyle fixes
  • Update apache2 license string

3.3.1 (2017-01-17)

  • fixed command_aliases in README

3.3.0 (2017-01-04)

  • Add attributes for env_keep_add and env_keep_subtract for the base sudoers file
  • Sanitize file names in the :remove action so we remove the proper files

3.2.0 (2016-12-27)

  • Convert ~ to __ like we do for i (sudoers.d files)

3.1.0 (2016-10-24)

  • add attribute custom_commands for user and group

3.0.0 (2016-09-08)

  • Testing updates
  • Require Chef 12.1+

2.11.0 (2016-08-09)

  • Add support for NOEXEC flag

v2.10.0 (2016-08-04)

  • Added a warning to the LWRP if include_sudoers_d is set to false
  • Enabled use_inline_resources in the LWRP
  • Added IBM zlinux as a supported platform
  • Added suse, opensuse, and opensuseleap to the metadata as they are now tested platforms
  • Added chef_version metadata to metadata.rb
  • Removed attributes from the metadata.rb as this serves little purpose
  • Converted bats integration tests to inspec
  • Switched from rubocop to cookstyle for Ruby linting
  • Removed the need for the apt cookbook in the test suite by using the apt_update resource instead
  • Switched from kitchen-docker to kitchen-dokken and enabled Debian/Opensuse platforms in Travis

v2.9.0 (2016-02-07)

  • Updated the provider to avoid writing out config files with periods in the filename when a user has a period in their name as these are skipped by the sudo package. A sudo config for invalid.user will write out a config named invalid_user now.

v2.8.0 (2016-02-04)

  • Added a new attribute to the recipe and provider for adding SETENV to sudoer config
  • Updated development deps to the latest version
  • Setup test kitchen to run in Travis with kitchen-docker
  • Expanded the kitchen.yml config to include additional platforms
  • Renamed the test recipe from fake to test
  • Updated the testing and contributing docs to the latest
  • Added maintainers.toml and
  • Added a chefignore file to limit which files get uploaded to the chef server
  • Added long_description to the metadata.rb
  • Added source_url and issues_url for Supermarket to the metadata.rb
  • Resolved all Rubocop warnings
  • Updated the Chefspec to the 4.x format
  • Removed kitchen cloud testing configs and gem deps
  • Removed the Guardfile and the gem deps

v2.7.2 (2015-07-10)

  • Adding support for keep_env
  • misc cleanup

v2.7.1 (2014-09-18)

  • [#53] - removed double space from sudoer.erb template

v2.7.0 (2014-08-08)

  • [#44] Add basic ChefSpec matchers

v2.6.0 (2014-05-15)

  • [COOK-4612] Add support for the command alias (Cmnd_Alias) directive
  • [COOK-4637] - handle duplicate resources in LWRP

v2.5.2 (2014-02-27)

Bumping version for toolchain sanity

v2.5.0 (2014-02-27)

Bumping to 2.5.0

v2.4.2 (2014-02-27)

[COOK-4350] - Fix issue with "Defaults" line in sudoer.erb

v2.4.0 (2014-02-18)

BREAKING CHANGE: The sysadmin group has been removed from the template. You will lose sudo access if:

  • You have users that depend on the sysadmin group for sudo access, and
  • You are overriding authorization.sudo.groups, but not including sysadmin in the list of groups


  • COOK-4225 - Mac OS X: /etc/sudoers: syntax error when include_sudoers_d is true


  • COOK-4014 - It should be possible to remove the 'sysadmin' group setting from /etc/sudoers
  • COOK-3643 - FreeBSD support for sudo cookbook

New Feature

  • COOK-3409 - enhance sudo lwrp's default template to allow defining default user parameters



  • COOK-3843 - Make cookbook 'sudo' compatible with Mac OS X



  • COOK-3653 - Change template attribute to kind_of String
  • COOK-3572 - Add Test Kitchen, Specs, and Travis CI


  • COOK-3610 - Document "Runas" attribute not described in the LWRP Attributes section
  • COOK-3431 - Validate correctly with visudo


New Feature

  • COOK-3056 - Allow custom sudoers config prefix


This is a bugfix for 11.6.0 compatibility, as we're not monkey-patching Erubis::Context.


  • [COOK-3399]: Remove node attribute in comment of sudoers templates



  • [COOK-2388]: Chef::ShellOut is deprecated, please use Mixlib::ShellOut
  • [COOK-2814]: Incorrect syntax in README example


  • [COOK-2388] - Chef::ShellOut is deprecated, please use Mixlib::ShellOut
  • [COOK-2427] - unable to install users cookbook in chef 11
  • [COOK-2814] - Incorrect syntax in README example


  • [COOK-2078] - syntax highlighting README on GitHub flavored markdown
  • [COOK-2119] - LWRP template doesn't support multiple commands in a single block.


  • [COOK-2109] - lwrp uses incorrect action on underlying file resource.


This is a major release because the LWRP's "nopasswd" attribute is changed from true to false, to match the passwordless attribute in the attributes file. This requires a change to people's LWRP use.

  • [COOK-2085] - Incorrect default value in the sudo LWRP's nopasswd attribute


  • [COOK-1892] - Revamp sudo cookbook and LWRP
  • [COOK-2022] - add an attribute for setting /etc/sudoers Defaults


  • [COOK-1628] - set host in sudo lwrp


  • [COOK-1314] - default package action is now :install instead of :upgrade
  • [COOK-1549] - Preserve SSH agent credentials upon sudo using an attribute


  • [COOK-350] - LWRP to manage sudo files via include dir (/etc/sudoers.d)


  • [COOK-903] - freebsd support

Collaborator Number Metric

4.0.1 passed this metric

Contributing File Metric

4.0.1 passed this metric

Foodcritic Metric

4.0.1 passed this metric

License Metric

4.0.1 passed this metric

No Binaries Metric

4.0.1 passed this metric

Testing File Metric

4.0.1 passed this metric

Version Tag Metric

4.0.1 passed this metric