search

ahuffman / ansible-sudoers

Controls the configuration of the default /etc/sudoers file and included files/directories.
MIT License
108 stars 45 forks source link

command and user aliases are not created inside sudoers.d #29

Closed flynn1973 closed 5 years ago

flynn1973 commented 6 years ago

settings: sudoer_separate_specs: True sudoer_rewrite_sudoers_file: False sudoer_remove_unauthorized_specs: True

playbook:

- name: testme
  hosts: AIXWUKIT,SAG0120_TESTLPAR
  gather_facts: no

  vars:
      sudoer_aliases:
        user:
          - name: XAIX_STAFF
            comment: aix users
            users:
              - ab
              - alti
              - nj
              - rb
              - rgruber
              - tremch
              - seb
              - walzjo
              - gnowotny

        runas:
          - name: ROOT
            comment: root stuff
            users:
              - '#0'

        command:
          - name:  XSU_ROOT
            comment: root stuff
            commands:
              - /usr/bin/su -, /usr/bin/su - -c *

      sudoer_specs:
        - name: XPERM_AIX
          comment: aix permissions
          users: XAIX_STAFF
          hosts: ALL
          operators: ROOT
          tags: NOPASSWD
          commands: ALL
          defaults:
            - '!requiretty'
  roles:
       - manage_sudoers

result (missing command and user aliases):

root@aixwukit: /etc/sudoers.d # ls -l total 8 -r--r----- 1 root system 146 Sep 07 14:03 XPERM_AIX root@aixwukit: /etc/sudoers.d # cat XPERM_AIX

Ansible managed: Manual interventions are a waste of time.

aix permissions

Defaults:XAIX_STAFF !requiretty XAIX_STAFF ALL=(ROOT) NOPASSWD: ALL

ahuffman commented 5 years ago

The command alias and user alias always gets created in /etc/sudoers. The specific specs get created in /etc/sudoers.d. In your specified configuration, you'll want to make some changes specifically to the sudoer_specs definiton:

sudoer_specs:
        - name: XPERM_AIX
          comment: aix permissions
          users: XAIX_STAFF
          hosts: ALL
          operators: XAIX_STAFF
          tags: NOPASSWD
          commands: XSU_ROOT
          defaults:
            - '!requiretty'

Produces /etc/sudoers.d/XPERM_AIX:

# Ansible managed

# aix permissions
Defaults:XAIX_STAFF !requiretty
XAIX_STAFF ALL=(XAIX_STAFF) NOPASSWD: XSU_ROOT

Another problem I see with your configuration is that you should have the following change for your command alias:

        command:
          - name:  XSU_ROOT
            comment: root stuff
            commands:
              - "/usr/bin/su -"
              - "/usr/bin/su - -c *"

This will produce an /etc/sudoers file like so: 

# Ansible managed

Defaults    !visiblepw
Defaults    always_set_home
Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC"
Defaults    env_keep += "KDEDIR LS_COLORS MAIL PS1 PS2"
Defaults    env_keep += "QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY"
Defaults    env_keep += "LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME"
Defaults    env_keep += "LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults    secure_path = "/sbin:/bin:/usr/sbin:/usr/bin"

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# aix users
User_Alias XAIX_STAFF = ab,alti,nj,rb,rgruber,tremch,seb,walzjo,gnowotny

## Runas Aliases
# root stuff
Runas_Alias ROOT = #0

## Command Aliases
## These are groups of related commands...
# root stuff
Cmnd_Alias XSU_ROOT = /usr/bin/su -,/usr/bin/su - -c *

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d