Puppet augeas and sudoers parameter lists

Puppet augeas and sudoers parameter lists

Today I had little problems with Puppet’s augeas. I tried hard to find some documentation helping me out but did not find anything suitable. So I think I’m not the only one facing that problem so I want to share what I did.

I want to change the /etc/sudoers file on Linux system with Puppet. What I want to do is negate the requiretty default and add SSH_AUTH_SOCK to the env_keep list.

My first problem was the requitetty setting. I tried a lot until I got a working solution. The problem was the value needed in the Puppet augeas set statement. I developed the following solution:

augeas { "sudoers":
   context => '/files/etc/sudoers/',
   changes => ["set Defaults/requiretty/negate ''"];
}

The second problem was a little bit harder to solve. Adding the SSH_AUTH_SOCK value to the env_keep list of the defaults. First of all env_keep is a list as mentioned before.

Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Above you can see the settings for env_keep which I want to change. I want to add SSH_AUTH_SOCK at the end of the list. And I only want to add the value once and not with every Puppet run. So I need a possibility to check if the setting is already done. To achive this, there is an „onlyif“ statement you can add to the augeas call. But it was a little bit difficult to find a way how to do it because 

match /files/etc/sudoers/Defaults/env_keep not_includes SSH_AUTH_SOCK

won’t work. The reason why it is not working is that the match returns a list of env_keep lines.The not_included checks the return value of the „match <arg>“ command which is a list in our case.

After figuring out the problem with the match art I found asolution to get it work:

augeas { "sudoers-env":
   onlyif => "match /files/etc/sudoers/Defaults/env_keep[last()]/var[.='SSH_AUTH_SOCK'] size == 0",
   changes => "set /files/etc/sudoers/Defaults/env_keep[last()]/var[last()+1]/ SSH_AUTH_SOCK"
}

The SSH_AUTH_SOCK value is always appended to the end of the last env_keep line. The result after the Puppet run looks like this

Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY SSH_AUTH_SOCK"

Finally I succeeded. But it costs me a lot of time for Googling and trying out things. So I hope this short documentation will help anyone else to get a quicker solution and save time for anybody else.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Durch die weitere Nutzung der Seite stimmst du der Verwendung von Cookies zu. Weitere Informationen

Die Cookie-Einstellungen auf dieser Website sind auf "Cookies zulassen" eingestellt, um das beste Surferlebnis zu ermöglichen. Wenn du diese Website ohne Änderung der Cookie-Einstellungen verwendest oder auf "Akzeptieren" klickst, erklärst du sich damit einverstanden.

Schließen