Re: [Puppet Users] Trying to write a visudo checker

[John Warburton]

On 4 March 2011 13:21, Rich Rauenzahn rraue...@gmail.com wrote:

 This visudo checker I've written (based on some examples from the web
 and puppet training materials) causes a dependency loop -- but only


I've approached the problem from another direction and we have a subversion
pre-commit hook for the sudoers file...

 case $file in
 */sudoers)
 OUTPUT=`/usr/sbin/visudo -c -q -f $TMPFILE 21`
 if [ $? -ne 0 ] ; then
 echo sudoers syntax error in $file 2
 echo $OUTPUT 2
 exit 1
 fi
 ;;

John

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Trying to write a visudo checker

[Alan Barrett]

On Thu, 03 Mar 2011, Rich Rauenzahn wrote:
It seems someone got clever and decided to look at exec's and 
look for managed filenames in argument lists and create implicit 
dependencies from them?  Argh!


Yes, the unwanted dependencies are very annoying.  Using file 
names like /dir/subdir/./file instead of /dir/subdir/file is 
enough to fool the code that adds implicit dependencies.


--apb (Alan Barrett)

--
You received this message because you are subscribed to the Google Groups Puppet 
Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Trying to write a visudo checker

[Rich Rauenzahn]

On 3/4/2011 12:23 AM, Alan Barrett wrote:

On Thu, 03 Mar 2011, Rich Rauenzahn wrote:
It seems someone got clever and decided to look at exec's and look 
for managed filenames in argument lists and create implicit 
dependencies from them?  Argh!


Yes, the unwanted dependencies are very annoying.  Using file names 
like /dir/subdir/./file instead of /dir/subdir/file is enough to fool 
the code that adds implicit dependencies.




Ah, what I did instead was just do exec = diff /.$path1 /.$path2.   I 
was imagining doing much more invasive methods last night.  Thanks!


--
You received this message because you are subscribed to the Google Groups Puppet 
Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Trying to write a visudo checker

[Rich Rauenzahn]

This visudo checker I've written (based on some examples from the web
and puppet training materials) causes a dependency loop -- but only
when I include the unless = diff   It seems someone got clever
and decided to look at exec's and look for managed filenames in
argument lists and create implicit dependencies from them?  Argh!

I also tried just making the exec a refreshonly from the sudoers_check
file's notify, but then the sudoers file itself ignored the bad return
from the exec even though it requires = the exec.

My best solution so far is to just let the visudo run every time...

$ puppet --version
2.6.4

define sudo::fragment($source, $order=10) {
concat::fragment { ${name}_sudoers:
source = $source,
target = $sudo::config::sudoers,
}
concat::fragment { ${name}_sudoers_check:
source = $source,
target = $sudo::config::sudoers_check,
}
}

class sudo::config($sudoers=/etc/sudoers) {
$sudoers_check = ${sudoers}.check
}

class sudo {
include concat::setup
$sudoers = $sudo::config::sudoers
$sudoers_check = $sudo::config::sudoers_check
package { sudo:
ensure = installed,
}
concat { $sudoers_check:
owner   = root,
group   = root,
mode= 440,
warn= true,
}
exec { visudo -cf $sudoers_check:
path= /usr/sbin/:/usr/bin,
require = [Concat[$sudoers_check], Package[sudo]],
unless  = diff $sudoers $sudoers_check,
}
concat { $sudoers:
owner   = root,
group   = root,
mode= 440,
require = [Exec[visudo -cf $sudoers_check], File[$sudoers_check]],
warn= true,
}
}

class { sudo::config: sudoers = /tmp/sudoers }

sudo::fragment { ob:
source   = puppet:///modules/sudo/sudoers,
#source   = /etc/passwd,
 }

err: Could not apply complete catalog: Found dependency cycles in the
following relationships: Exec[visudo -cf /tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments], Exec[visudo -cf
/tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments], Exec[visudo -cf
/tmp/sudoers.check] = File[/tmp/sudoers], Exec[concat_/tmp/sudoers]
= File[/tmp/sudoers], File[/tmp/sudoers] = Exec[visudo -cf
/tmp/sudoers.check],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments/10_ob_sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers] =
Exec[concat_/tmp/sudoers], File[/var/lib/puppet/concat/_tmp_sudoers]
= Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =
Exec[concat_/tmp/sudoers], Exec[visudo -cf /tmp/sudoers.check] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments/10_ob_sudoers] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat] =
Exec[concat_/tmp/sudoers], File[/var/lib/puppet/concat/_tmp_sudoers]
= File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out],
Exec[visudo -cf /tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out],
File[/var/lib/puppet/concat/_tmp_sudoers] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat],
Exec[visudo -cf /tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat]; try using
the '--graph' option and open the '.dot' files in OmniGraffle or
GraphViz

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.