From 8eb95cfcdaf561a67f3b21d7a27234fadf997e59 Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:32:58 -0500 Subject: [PATCH 01/11] start of sudoers formula --- pillar.example | 28 +++++++++++++++++++++++++ sudoers/files/sudoers | 43 +++++++++++++++++++++++++++++++++++++++ sudoers/init.sls | 15 ++++++++++++++ sudoers/package-map.jinja | 14 +++++++++++++ 4 files changed, 100 insertions(+) create mode 100644 pillar.example create mode 100644 sudoers/files/sudoers create mode 100644 sudoers/init.sls create mode 100644 sudoers/package-map.jinja diff --git a/pillar.example b/pillar.example new file mode 100644 index 0000000..b269253 --- /dev/null +++ b/pillar.example @@ -0,0 +1,28 @@ +sudoers: + users: + johndoe: 'ALL=(ALL) ALL' + groups: + sudo: 'ALL=(ALL) NOPASSWD: ALL' + defaults: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + aliases: + hosts: + - WEBSERVERS: + - www1 + - www2 + - www3 + users: + - ADMINS: + - millert + - dowdy + - mikef + commands: + - PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + #include: /etc/sudoers.d diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers new file mode 100644 index 0000000..5968a82 --- /dev/null +++ b/sudoers/files/sudoers @@ -0,0 +1,43 @@ +{% set sudoers = pillar.get('sudoers', {}) %} +{% set defaults = sudoers.get('defaults', []) %} +{% set aliases = sudoers.get('aliases', {}) %} +{% set host_aliases = aliases.get('host', []) %} +{% set user_aliases = aliases.get('user', []) %} +{% set cmnd_aliases = aliases.get('commands', []) %} +{% set runas_aliases = aliases.get('runas', []) %} +{% set users = sudoers.get('users', {}) %} +{% set groups = sudoers.get('groups', {}) %} +{% set includedir = sudoers.get('includedir', None) %} +# +# This file is managed by salt +# + +{% for default in defaults -%} +Defaults {{ default }} +{%- endfor %} + +# Host alias specification +{% for default in defaults -%} +Defaults {{ default }} +{%- endfor %} + +# User alias specification +{{ user_aliases }} + +# Cmnd alias specification +{{ cmnd_aliases }} + +# Runas alias specification +{{ runas_aliases }} + +# User privilege specification +{{ users }} + +# Group privilege specification +{{ groups }} + +{% if includes %} +includedir {{ includedir }} +{% else %} +#includedir /etc/sudoers.d +{% endif %} diff --git a/sudoers/init.sls b/sudoers/init.sls new file mode 100644 index 0000000..d6622a4 --- /dev/null +++ b/sudoers/init.sls @@ -0,0 +1,15 @@ +{% from "sudoers/package-map.jinja" import pkgs with context %} + +sudo: + pkg.installed: + - name: {{ pkg.sudo }} + +/etc/sudoers + file.managed: + - user: root + - group: root + - mode: 440 + - template: jinja + - source: salt://sudoers/files/sudoers + - require: + - pkg: sudo diff --git a/sudoers/package-map.jinja b/sudoers/package-map.jinja new file mode 100644 index 0000000..121de81 --- /dev/null +++ b/sudoers/package-map.jinja @@ -0,0 +1,14 @@ +{% set package_table = { + 'Debian': {'sudo': 'sudo'}, + 'Ubuntu': {'sudo': 'sudo'}, + 'CentOS': {'sudo': 'sudo'}, + 'Fedora': {'sudo': 'sudo'}, + 'RedHat': {'sudo': 'sudo'}, + 'Gentoo': {'sudo': 'app-admin/sudo'} +} %} + +{% if 'package_table' in pillar %} + {% set pkgs = pillar['package_table'] %} +{% elif grains['os'] in package_table %} + {% set pkgs = package_table[grains['os']] %} +{% endif %} From be815275bb799bf514c25c4e8cf8447a1fe94697 Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:34:35 -0500 Subject: [PATCH 02/11] fixed pkgs variable --- pillar.example | 2 +- sudoers/init.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pillar.example b/pillar.example index b269253..d47b704 100644 --- a/pillar.example +++ b/pillar.example @@ -25,4 +25,4 @@ sudoers: - /usr/bin/renice - /usr/bin/pkill - /usr/bin/top - #include: /etc/sudoers.d + include: /etc/sudoers.d diff --git a/sudoers/init.sls b/sudoers/init.sls index d6622a4..1157790 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -2,7 +2,7 @@ sudo: pkg.installed: - - name: {{ pkg.sudo }} + - name: {{ pkgs.sudo }} /etc/sudoers file.managed: From ffda08bc09022e9df7ec8b04b60c0006532828d6 Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:35:12 -0500 Subject: [PATCH 03/11] init.sls fix --- sudoers/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sudoers/init.sls b/sudoers/init.sls index 1157790..09f10e3 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -4,7 +4,7 @@ sudo: pkg.installed: - name: {{ pkgs.sudo }} -/etc/sudoers +/etc/sudoers: file.managed: - user: root - group: root From 4f842bf457a123a19989d7fb632af4fbfea39cef Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:35:57 -0500 Subject: [PATCH 04/11] includedir fix --- pillar.example | 2 +- sudoers/files/sudoers | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pillar.example b/pillar.example index d47b704..f68a70b 100644 --- a/pillar.example +++ b/pillar.example @@ -25,4 +25,4 @@ sudoers: - /usr/bin/renice - /usr/bin/pkill - /usr/bin/top - include: /etc/sudoers.d + includedir: /etc/sudoers.d diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 5968a82..4a26197 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -36,7 +36,7 @@ Defaults {{ default }} # Group privilege specification {{ groups }} -{% if includes %} +{% if includedir %} includedir {{ includedir }} {% else %} #includedir /etc/sudoers.d From 34178002e7d165532bcb3d11af67b6956b7dc4d0 Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:45:11 -0500 Subject: [PATCH 05/11] alias test --- sudoers/files/sudoers | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 4a26197..e93bd35 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -1,8 +1,8 @@ {% set sudoers = pillar.get('sudoers', {}) %} {% set defaults = sudoers.get('defaults', []) %} {% set aliases = sudoers.get('aliases', {}) %} -{% set host_aliases = aliases.get('host', []) %} -{% set user_aliases = aliases.get('user', []) %} +{% set host_aliases = aliases.get('hosts', []) %} +{% set user_aliases = aliases.get('users', []) %} {% set cmnd_aliases = aliases.get('commands', []) %} {% set runas_aliases = aliases.get('runas', []) %} {% set users = sudoers.get('users', {}) %} @@ -14,12 +14,12 @@ {% for default in defaults -%} Defaults {{ default }} -{%- endfor %} +{% endfor %} # Host alias specification -{% for default in defaults -%} -Defaults {{ default }} -{%- endfor %} +{% for name,hosts in host_aliases.items() %} +Host_Alias {{ name }} = {{ ",".join(hosts) }} +{% endfor %} # User alias specification {{ user_aliases }} From 61a216de81cf36329015d08292a9dcba02089b7a Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:51:13 -0500 Subject: [PATCH 06/11] fleshed out template --- pillar.example | 6 +++--- sudoers/files/sudoers | 28 +++++++++++++++++++--------- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/pillar.example b/pillar.example index f68a70b..89c5389 100644 --- a/pillar.example +++ b/pillar.example @@ -9,17 +9,17 @@ sudoers: - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" aliases: hosts: - - WEBSERVERS: + WEBSERVERS: - www1 - www2 - www3 users: - - ADMINS: + ADMINS: - millert - dowdy - mikef commands: - - PROCESSES: + PROCESSES: - /usr/bin/nice - /bin/kill - /usr/bin/renice diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index e93bd35..4abcfc7 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -1,10 +1,10 @@ {% set sudoers = pillar.get('sudoers', {}) %} {% set defaults = sudoers.get('defaults', []) %} {% set aliases = sudoers.get('aliases', {}) %} -{% set host_aliases = aliases.get('hosts', []) %} -{% set user_aliases = aliases.get('users', []) %} -{% set cmnd_aliases = aliases.get('commands', []) %} -{% set runas_aliases = aliases.get('runas', []) %} +{% set host_aliases = aliases.get('hosts', {}) %} +{% set user_aliases = aliases.get('users', {}) %} +{% set command_aliases = aliases.get('commands', {}) %} +{% set runas_aliases = aliases.get('runas', {}) %} {% set users = sudoers.get('users', {}) %} {% set groups = sudoers.get('groups', {}) %} {% set includedir = sudoers.get('includedir', None) %} @@ -22,19 +22,29 @@ Host_Alias {{ name }} = {{ ",".join(hosts) }} {% endfor %} # User alias specification -{{ user_aliases }} +{% for name,users in user_aliases.items() %} +User_Alias {{ name }} = {{ ",".join(users) }} +{% endfor %} # Cmnd alias specification -{{ cmnd_aliases }} +{% for name,commands in command_aliases.items() %} +Cmnd_Alias {{ name }} = {{ ",".join(commands) }} +{% endfor %} # Runas alias specification -{{ runas_aliases }} +{% for name,runas in runas_aliases.items() %} +Runas_Alias {{ name }} = {{ ",".join(runas) }} +{% endfor %} # User privilege specification -{{ users }} +{% for user,spec in users %} +{{ user }} {{ spec }} +{% endfor %} # Group privilege specification -{{ groups }} +{% for group,spec in groups %} +%{{ group }} {{ spec }} +{% endfor %} {% if includedir %} includedir {{ includedir }} From 7ae89c11ecdaed48f373cfa2fe3520b54f7ef906 Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:53:00 -0500 Subject: [PATCH 07/11] user/group fix --- sudoers/files/sudoers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 4abcfc7..a7c5cca 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -37,12 +37,12 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} {% endfor %} # User privilege specification -{% for user,spec in users %} +{% for user,spec in users.items() %} {{ user }} {{ spec }} {% endfor %} # Group privilege specification -{% for group,spec in groups %} +{% for group,spec in groups.items() %} %{{ group }} {{ spec }} {% endfor %} From 3db435dcddc87ce8339a9faa1e1868927d490ea2 Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:54:21 -0500 Subject: [PATCH 08/11] template cleanup --- sudoers/files/sudoers | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index a7c5cca..552881a 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -17,34 +17,34 @@ Defaults {{ default }} {% endfor %} # Host alias specification -{% for name,hosts in host_aliases.items() %} +{%- for name,hosts in host_aliases.items() %} Host_Alias {{ name }} = {{ ",".join(hosts) }} -{% endfor %} +{%- endfor %} # User alias specification -{% for name,users in user_aliases.items() %} +{%- for name,users in user_aliases.items() %} User_Alias {{ name }} = {{ ",".join(users) }} -{% endfor %} +{%- endfor %} # Cmnd alias specification -{% for name,commands in command_aliases.items() %} +{%- for name,commands in command_aliases.items() %} Cmnd_Alias {{ name }} = {{ ",".join(commands) }} -{% endfor %} +{%- endfor %} # Runas alias specification -{% for name,runas in runas_aliases.items() %} +{%- for name,runas in runas_aliases.items() %} Runas_Alias {{ name }} = {{ ",".join(runas) }} -{% endfor %} +{%- endfor %} # User privilege specification -{% for user,spec in users.items() %} +{%- for user,spec in users.items() %} {{ user }} {{ spec }} -{% endfor %} +{%- endfor %} # Group privilege specification -{% for group,spec in groups.items() %} +{%- for group,spec in groups.items() %} %{{ group }} {{ spec }} -{% endfor %} +{%- endfor %} {% if includedir %} includedir {{ includedir }} From 7100b0ed133ca3cf00e57aee37beee8ae267cb15 Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:54:54 -0500 Subject: [PATCH 09/11] small newline removal --- sudoers/files/sudoers | 1 - 1 file changed, 1 deletion(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 552881a..3e1f6ae 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -15,7 +15,6 @@ {% for default in defaults -%} Defaults {{ default }} {% endfor %} - # Host alias specification {%- for name,hosts in host_aliases.items() %} Host_Alias {{ name }} = {{ ",".join(hosts) }} From 1c652bdffe3e7d0fb7fbd72f8eaaeae2abd579b4 Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:55:11 -0500 Subject: [PATCH 10/11] more newline removal --- sudoers/files/sudoers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 3e1f6ae..9fae9a3 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -7,7 +7,7 @@ {% set runas_aliases = aliases.get('runas', {}) %} {% set users = sudoers.get('users', {}) %} {% set groups = sudoers.get('groups', {}) %} -{% set includedir = sudoers.get('includedir', None) %} +{%- set includedir = sudoers.get('includedir', None) %} # # This file is managed by salt # From 7f4a0d683463ba4ca9cd5e62d321d72a80018ab7 Mon Sep 17 00:00:00 2001 From: Kenneth Wilke Date: Tue, 20 Aug 2013 16:55:49 -0500 Subject: [PATCH 11/11] more newline removal --- sudoers/files/sudoers | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index 9fae9a3..d6aa716 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -1,13 +1,13 @@ {% set sudoers = pillar.get('sudoers', {}) %} -{% set defaults = sudoers.get('defaults', []) %} -{% set aliases = sudoers.get('aliases', {}) %} -{% set host_aliases = aliases.get('hosts', {}) %} -{% set user_aliases = aliases.get('users', {}) %} -{% set command_aliases = aliases.get('commands', {}) %} -{% set runas_aliases = aliases.get('runas', {}) %} -{% set users = sudoers.get('users', {}) %} -{% set groups = sudoers.get('groups', {}) %} -{%- set includedir = sudoers.get('includedir', None) %} +{%- set defaults = sudoers.get('defaults', []) %} +{%- set aliases = sudoers.get('aliases', {}) %} +{%- set host_aliases = aliases.get('hosts', {}) %} +{%- set user_aliases = aliases.get('users', {}) %} +{%- set command_aliases = aliases.get('commands', {}) %} +{%- set runas_aliases = aliases.get('runas', {}) %} +{%- set users = sudoers.get('users', {}) %} +{%- set groups = sudoers.get('groups', {}) %} +{%- set includedir = sudoers.get('includedir', None) -%} # # This file is managed by salt #