Problem is that if you don't have a way of limiting where sudo entries can be made, someone can create a new module and grant themselves full sudo rights there for a large number of systems. When in a large enterprise such as ours, there are modules that are created and maintained by teams outside of the main teams that maintain the bulk of the puppet code.
I think one possibility we are looking in to is using Teamcity (could also be done with Jenkins) to check that sudo calls aren't made outside of our protected sudo module. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5198fce0-fb84-42fe-bc8e-b6c2b48141d3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
