Newer versions of sudo have #include and #includedir directives which might
really help out in this situation.
You may just be able to push out a file or collection of files which are then
included by the existing file. It could be as simple as having Cfengine add
the #includedir line to the existing file then having Cfengine populate and
maintain that directory.
#include was added in Sudo 1.7.0 and #includedir was added in Sudo 1.7.2, so
depending on your distro of choice and perhaps your packaging skills, you may
or may not be able to take advantage of these. I recently had a project to
push out a new world-wide sudoers file to about 40 different sites with at
least as many variations of current sudoers files. I didn't want to lose what
was already in place, so I moved the existing file out of the way, put in my
new global file, and included the moved file. Eventually I want to move as
much as I could into the global file, like Jesse suggested, and standardize the
rest of the site-specific files so the Cfengine can maintain those as well.
Unfortunately since most of my fleet is RHEL4, which only has sudo 1.6.7, my
grand idea of using #include has to wait until I can package up and distribute
a new version of sudo.
--
/* Wes Hardin */
UNIX/Linux Systems Administrator, IT Engineering Support
Maxim Integrated Products: Innovation Delivered
________________________________________
From: help-cfengine-boun...@cfengine.org [help-cfengine-boun...@cfengine.org]
On Behalf Of Jesse Becker [becker...@mail.nih.gov]
Sent: Thursday, March 10, 2011 07:13 PM
To: Jones, Stephen (MAS)
Cc: help-cfengine@cfengine.org
Subject: Re: Managing sudoers files with exisiting entries
While this will neatly dodge your question, I stongly suggest
consolidating all of your sudoers files into a single master file,
and pushing that to all of your hosts. The format of /etc/sudoers was
specifically designed for this sort of multi-host operation, and it
simplifies managment greatly.
On Thu, Mar 10, 2011 at 07:46:20PM -0500, Jones, Stephen (MAS) wrote:
>All,
>
>I?m trying to integrate cfengine3 into an environment that is already heavily
>configured. I?m currently working on a solution for the sudoers file which
>appears to be slightly different on about every host I?ve looked at!
>
>The solution I?ve come up with is to create a location in the existing file
>and then append my changes to this region. Could I have any suggestions on the
>code to make it possibly simpler or more efficient? I want to retain the
>ability to remove entries should I need to hence the delete section. I am
>having issues with the regex on the delete so I?ve put in an slist for entries
>I want removed. It would also be nice to insert a blank line between each
>section but I?ve been unable to work out how to do that as insert lines will
>always match a blank line???
>
>Many thanks
>Stephen
>
># cat managed_sudoers.cf
>body common control {
> bundlesequence => {
> manage_sudoers_file,
> };
>
> inputs => {
> "cfengine_stdlib.cf",
> };
> version => "0.01";
>}
>
>bundle agent manage_sudoers_file {
>
>vars:
>
> "cfengine_managed_header" string => "#----------------------------------#
>#-----CFENGINE_MANAGED_ENTRIES-----#
>
>#-----------------------------------#";
>
>files:
>
> any::
>
> "/etc/sudoers"
>
> edit_line =>
> append_if_no_lines("$(manage_sudoers_file.cfengine_managed_header)");
>
>methods:
>
> "any" usebundle => manage_sudoers_content,
>
>}
>
>bundle agent manage_sudoers_content {
>
>
>files:
>
> any::
>
> "/etc/sudoers"
>
> comment => "Add lines to the sudoers configuration",
> create => "true",
> edit_line => sudoers,
> edit_defaults => std_defs;
>
>}
>
>##########################################################################
>
>bundle edit_line sudoers {
>
>vars:
>
> "sudo_entries[user_alias_test_sysadmin]" string => "User_Alias
> TEST_SYSADMIN=testuser1,testuser2,testuser3";
> "sudo_entries[user_privs_test_sysadmin]" string => "TEST_SYSADMIN ALL=
> NOPASSWD: ALL";
>
> "sudo_entry_name" slist => getindices("sudo_entries");
> "sudo_removable_entries" slist => { "User_Alias", "TEST" };
>
> insert_lines:
>
> "$(sudo_entries[$(sudo_entry_name)])",
>
> select_region => cfengine_sudoers_region;
>
> delete_lines:
>
> "$(sudo_removable_entries).*",
>
> select_region => cfengine_sudoers_region;
>
>}
>
>##########################################################################
>
>body select_region cfengine_sudoers_region {
>
> select_start => "^#-----CFENGINE_MANAGED_ENTRIES-----#$";
> select_end => "^#-----------------------------------#$";
>}
>
>##########################################################################
>
>Sudoers file after:-
>
>#----------------------------------#
>#-----CFENGINE_MANAGED_ENTRIES-----#
>User_Alias TEST_SYSADMIN= testuser1,testuser2,testuser3
>TEST_SYSADMIN ALL= NOPASSWD: ALL
>#-----------------------------------#
>
>_______________________________________________
>Help-cfengine mailing list
>Help-cfengine@cfengine.org
>https://cfengine.org/mailman/listinfo/help-cfengine
--
Jesse Becker
NHGRI Linux support (Digicon Contractor)
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
