Open robertlich opened 3 months ago
Running this block to configure my sudo_accounts ` augeas { 'sudo_accounts': context => '/files/etc/sudoers', changes => [
"set Cmnd_Alias/alias/name ELEVATING", "set Cmnd_Alias/alias/command[1] /bin/su", "set Cmnd_Alias/alias/command[2] /bin/usr/su", "set spec[user = '%wheel']/user %wheel", #Allow the wheel group to run all commands without a password, excepting the ELEVATING commands "set spec[user = '%wheel']/host_group/host ALL", "set spec[user = '%wheel']/host_group/command[1] ALL", "set spec[user = '%wheel']/host_group/command[1]/runas_user ALL", "set spec[user = '%wheel']/host_group/command[1]/tag NOPASSWD", "set spec[user = '%wheel']/host_group/command[2] ELEVATING", **"set spec[user = '%wheel']/host_group/command[2]/negate"],** "clear spec[user = '%wheel']/host_group/command[2]/negate"], onlyif => "match spec/user[.='%wheel'][../host_group/command/tag='NOPASSWD'] size == 0",
} ` Results in an error that I am missing the second argument for set.
Using the same augtool executable to run:
set /files/etc/sudoers/spec[3]/host_group/command/negate
Will result in the command on that line being negated.
In this particular example it turns:
%wheel ALL=(ALL) NOPASSWD : ALL , ELEVATING => %wheel ALL=(ALL) NOPASSWD : ALL , !ELEVATING
%wheel ALL=(ALL) NOPASSWD : ALL , ELEVATING
%wheel ALL=(ALL) NOPASSWD : ALL , !ELEVATING
Notably if I were to try to just use:
"set spec[user = '%wheel']/host_group/command[2] !ELEVATING",
in the puppet code above, that also fails. So I'm left with no options for set to negate a command in the sudoers file, which doesn't match the actual behaviour of augtool.
I am able to get around this by using:
"clear spec[user = '%wheel']/host_group/command[2]/negate"
But that's a little unintuitive.
I have provided the steps to reproduce as part of the above.
Describe the Bug
Running this block to configure my sudo_accounts ` augeas { 'sudo_accounts': context => '/files/etc/sudoers', changes => [
Create a command alias for switching a user
} ` Results in an error that I am missing the second argument for set.
Expected Behavior
Using the same augtool executable to run:
set /files/etc/sudoers/spec[3]/host_group/command/negate
Will result in the command on that line being negated.
In this particular example it turns:
%wheel ALL=(ALL) NOPASSWD : ALL , ELEVATING
=>%wheel ALL=(ALL) NOPASSWD : ALL , !ELEVATING
Notably if I were to try to just use:
"set spec[user = '%wheel']/host_group/command[2] !ELEVATING",
in the puppet code above, that also fails. So I'm left with no options for set to negate a command in the sudoers file, which doesn't match the actual behaviour of augtool.
I am able to get around this by using:
"clear spec[user = '%wheel']/host_group/command[2]/negate"
But that's a little unintuitive.
Steps to Reproduce
I have provided the steps to reproduce as part of the above.
Environment