From 8d3f4d9894af267868fe41e0d67b6dd2e4d21d58 Mon Sep 17 00:00:00 2001 From: Roman Reitschmied Date: Thu, 11 Feb 2016 15:00:22 +0100 Subject: [PATCH 1/2] add sudoers check with visudo as proposed here: https://blog.afoolishmanifesto.com/posts/checking-sudoers-with-visudo-in-saltstack/ --- sudoers/included.sls | 1 + sudoers/init.sls | 1 + 2 files changed, 2 insertions(+) diff --git a/sudoers/included.sls b/sudoers/included.sls index e4d4b7e..de48440 100644 --- a/sudoers/included.sls +++ b/sudoers/included.sls @@ -13,6 +13,7 @@ include: - mode: 440 - template: jinja - source: salt://sudoers/files/sudoers + - check_cmd: /usr/sbin/visudo -c -f - context: included: True sudoers: {{ spec|json }} diff --git a/sudoers/init.sls b/sudoers/init.sls index 922fdf7..841efd9 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -11,6 +11,7 @@ sudo: - mode: 440 - template: jinja - source: salt://sudoers/files/sudoers + - check_cmd: /usr/sbin/visudo -c -f - context: included: False - require: From 672cd206721f24d8773a2754e4b27ff78b1b706e Mon Sep 17 00:00:00 2001 From: "Matthew X. Economou" Date: Wed, 9 Mar 2016 15:03:56 -0500 Subject: [PATCH 2/2] Use correct pathname of visudo on FreeBSD --- sudoers/included.sls | 2 +- sudoers/init.sls | 2 +- sudoers/map.jinja | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/sudoers/included.sls b/sudoers/included.sls index de48440..6804b49 100644 --- a/sudoers/included.sls +++ b/sudoers/included.sls @@ -13,7 +13,7 @@ include: - mode: 440 - template: jinja - source: salt://sudoers/files/sudoers - - check_cmd: /usr/sbin/visudo -c -f + - check_cmd: {{ sudoers.get('exec-prefix', '/usr/sbin') }}/visudo -c -f - context: included: True sudoers: {{ spec|json }} diff --git a/sudoers/init.sls b/sudoers/init.sls index 841efd9..e93ce3c 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -11,7 +11,7 @@ sudo: - mode: 440 - template: jinja - source: salt://sudoers/files/sudoers - - check_cmd: /usr/sbin/visudo -c -f + - check_cmd: {{ sudoers.get('exec-prefix', '/usr/sbin') }}/visudo -c -f - context: included: False - require: diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 278d175..92506c3 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -11,5 +11,6 @@ 'Suse': {'pkg': 'sudo'}, 'FreeBSD': {'pkg': 'sudo', 'config-path': '/usr/local/etc', + 'exec-prefix': '/usr/local/sbin', 'group': 'wheel'}, }, merge=salt['pillar.get']('sudoers:lookup')) %}