syntax error near line 120

[glassfox]

Looks like regression. When I execute playbook with version 6.0.0, following error occurred:

[0;32m    packer.amazon-ebs.amazon_linux2: TASK [users : Ensure the /etc/sudoers.d directory is included] *****************[0m
[0;32m    packer.amazon-ebs.amazon_linux2: fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1694096904.2884834-4728-121955127142261/tmplp8wizy1: syntax error near line 120 <<<\n"}[0m

In version 5.6.0 work as expected

Environment

• Control node OS: Amazon Linux 2
• Control node Ansible version: [core 2.13.11]
• Managed node OS: Amazon Linux 2

[NoefHDZ]

I also have the same problem

TASK [robertdebock.users : Ensure the /etc/sudoers.d directory is included] ************************************************************************************************************ fatal: [localhost]: FAILED! => {"changed": false, "msg": "failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1696359389.56-19329-5225390177548/tmpHnuY8I: syntax error near line 120 <<<\n"}

[NoefHDZ]

The problem is only in the latest version, in my case I installed version 5.6.0 and it allowed me to work without problems.

[robertdebock]

Let me have a look, if I remember correctly, the syntax to include files was #includedir /etc/sudoers.d and in newer versions of sudo can be "@includedir /etc/sudoers.d.

Thanks for your input!

[robertdebock]

I also have the same problem

TASK [robertdebock.users : Ensure the /etc/sudoers.d directory is included] ************************************************************************************************************ fatal: [localhost]: FAILED! => {"changed": false, "msg": "failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1696359389.56-19329-5225390177548/tmpHnuY8I: syntax error near line 120 <<<\n"}

What OS are you applying the role to? Also amazonlinux, like @glassfox?

[NoefHDZ]

Hi

I have the problem in CentOS 7

El mar., 7 de noviembre de 2023 9:09 a. m., Robert de Bock < @.***> escribió:

I also have the same problem

TASK [robertdebock.users : Ensure the /etc/sudoers.d directory is included]

---

fatal: [localhost]: FAILED! => {"changed": false, "msg": "failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1696359389.56-19329-5225390177548/tmpHnuY8I: syntax error near line 120 <<<\n"}

What OS are you applying the role to? Also amazonlinux, like @glassfox https://github.com/glassfox?

— Reply to this email directly, view it on GitHub https://github.com/robertdebock/ansible-role-users/issues/31#issuecomment-1798824081, or unsubscribe https://github.com/notifications/unsubscribe-auth/A7F2AHTVD2NQSRJ7MQCARLDYDJFI3AVCNFSM6AAAAAA4PCDRMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJYHAZDIMBYGE . You are receiving this because you commented.Message ID: @.***>

[robertdebock]

Hi I have the problem in CentOS 7 El mar., 7 de noviembre de 2023 9:09 a. m., Robert de Bock < @.*> escribió: … I also have the same problem TASK [robertdebock.users : Ensure the /etc/sudoers.d directory is included] **** fatal: [localhost]: FAILED! => {"changed": false, "msg": "failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1696359389.56-19329-5225390177548/tmpHnuY8I: syntax error near line 120 <<<\n"} What OS are you applying the role to? Also amazonlinux, like @glassfox https://github.com/glassfox? — Reply to this email directly, view it on GitHub <#31 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/A7F2AHTVD2NQSRJ7MQCARLDYDJFI3AVCNFSM6AAAAAA4PCDRMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJYHAZDIMBYGE . You are receiving this because you commented.Message ID: *@.>

Okay, that indeed was not tested. I've changed the role a bit to fix RHEL-7. (Not released, still testing.)

[NoefHDZ]

Thanks 😀

Im waiting for the release

El mar., 7 de noviembre de 2023 9:30 a. m., Robert de Bock < @.***> escribió:

Hi I have the problem in CentOS 7 El mar., 7 de noviembre de 2023 9:09 a. m., Robert de Bock < @.

*> escribió: … <#m-7894788575705229486> I also have the same problem TASK [robertdebock.users : Ensure the /etc/sudoers.d directory is included]

---

fatal: [localhost]: FAILED! => {"changed": false, "msg": "failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1696359389.56-19329-5225390177548/tmpHnuY8I: syntax error near line 120 <<<\n"} What OS are you applying the role to? Also amazonlinux, like @glassfox https://github.com/glassfox https://github.com/glassfox https://github.com/glassfox? — Reply to this email directly, view it on GitHub <#31 (comment) https://github.com/robertdebock/ansible-role-users/issues/31#issuecomment-1798824081>, or unsubscribe https://github.com/notifications/unsubscribe-auth/A7F2AHTVD2NQSRJ7MQCARLDYDJFI3AVCNFSM6AAAAAA4PCDRMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJYHAZDIMBYGE https://github.com/notifications/unsubscribe-auth/A7F2AHTVD2NQSRJ7MQCARLDYDJFI3AVCNFSM6AAAAAA4PCDRMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJYHAZDIMBYGE . You are receiving this because you commented.Message ID: @.*>

Okay, that indeed was not tested. I've changed the role a bit to fix RHEL-7. (Not released, still testing.)

— Reply to this email directly, view it on GitHub https://github.com/robertdebock/ansible-role-users/issues/31#issuecomment-1798877237, or unsubscribe https://github.com/notifications/unsubscribe-auth/A7F2AHSYOU4KSZE4DENH3ELYDJHZDAVCNFSM6AAAAAA4PCDRMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJYHA3TOMRTG4 . You are receiving this because you commented.Message ID: @.***>

[robertdebock]

TL;DR: Should have worked, I'll make a change to the role.

hm, I can't reproduce the issue. I'm running on:

bash-5.2# cat /etc/os-release 
NAME="Amazon Linux"
VERSION="2023"
ID="amzn"
ID_LIKE="fedora"
VERSION_ID="2023"
PLATFORM_ID="platform:al2023"
PRETTY_NAME="Amazon Linux 2023"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
HOME_URL="https://aws.amazon.com/linux/"
BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
SUPPORT_END="2028-03-01"

With sudo version:

bash-5.2# sudo --version
Sudo version 1.9.13p2

In my case the original /etc/sudoers contains these last lines:

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

And after applying the role, these lines look like this:

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
@includedir /etc/sudoers.d

So, it actually changed the # to a @ symbol.

That should work, but since # is default, I'll change the role to use # over @.

[robertdebock]

Please try again, version 6.1.2 has a fix for Amazonlinux included.

[alex-inqwise]

Thanks, @robertdebock,

I may be missing something, but it appears that the default version of 'users' in Galaxy is still throwing an exception. Could you please advise?

[0;32m    packer.amazon-ebs.amazon_linux2: TASK [users : Ensure the /etc/sudoers.d directory is included] *****************
[0;32m    packer.amazon-ebs.amazon_linux2: fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1701616035.2604175-2052-216787915345326/tmp8cbilg8i: syntax error near line 120 <<<\n"}

[alex-inqwise]

If it helps, here is the 'users' section of my configuration:

- include_role:
        name: users
      vars:
        users_group_list:
        - name: "{{ app_group }}"
        users_user_list:
        - name: "{{ app_user }}"
          group: "{{ app_group }}"
          shell: /sbin/nologin
          append: yes
        - name: user1
          groups: 
            - "{{ app_group }}"
          cron_allow: yes
          sudo_options: "ALL=(ALL) NOPASSWD: ALL"
          expires: -1
          authorized_keys:
            - "ssh-rsa AAAAB3Nz..."
        - name: user2
          cron_allow: yes
          sudo_options: "ALL=(ALL) NOPASSWD: ALL"
          expires: -1
          authorized_keys:
            - "ssh-rsa AAAAB3..."

[robertdebock]

I see you are using the variable users_user_list, which has been renamed recently to users.

So that would mean you are using an older version of the role, missing the latest fixes around sudo. I think an update (ansible-galaxy install robertdebock.users --force) will help.

[alex-inqwise]

strange. because i execute playbook on new instance. following my logs:

Starting galaxy role install process
- downloading role 'users', owned by robertdebock
- downloading role from https://github.com/robertdebock/ansible-role-users/archive/6.1.4.tar.gz

...

TASK [users : Loop over users_groups] ******************************************
skipping: [127.0.0.1]
TASK [users : Ensure the /etc/sudoers.d directory is included] *****************
fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1701868048.8764532-6174-117411621346678/tmp53snsp2z: syntax error near line 120 <<<\n"}

[glassfox]

the issue still occurred in aws instances.

[glassfox]

following the sudoers file content before and after actual change:

## Sudoers allows particular users to run various commands as\n## the root user, without needing the root password.\n##\n## Examples are provided at the bottom of the file for collections\n## of related commands, which can then be delegated out to particular\n## users or groups.\n## \n## This file must be edited with the 'visudo' command.\n\n## Host Aliases\n## Groups of machines. You may prefer to use hostnames (perhaps using \n## wildcards for entire domains) or IP addresses instead.\n# Host_Alias     FILESERVERS = fs1, fs2\n# Host_Alias     MAILSERVERS = smtp, smtp2\n\n## User Aliases\n## These aren't often necessary, as you can use regular groups\n## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname \n## rather than USERALIAS\n# User_Alias ADMINS = jsmith, mikem\n\n\n## Command Aliases\n## These are groups of related commands...\n\n## Networking\n# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool\n\n## Installation and management of software\n# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum\n\n## Services\n# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable\n\n## Updating the locate database\n# Cmnd_Alias LOCATE = /usr/bin/updatedb\n\n## Storage\n# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount\n\n## Delegating permissions\n# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp \n\n## Processes\n# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall\n\n## Drivers\n# Cmnd_Alias DRIVERS = /sbin/modprobe\n\n# Defaults specification\n\n#\n# Refuse to run if unable to disable echo on the tty.\n#\nDefaults   !visiblepw\n\n#\n# Preserving HOME has security implications since many programs\n# use it when searching for configuration files. Note that HOME\n# is already set when the the env_reset option is enabled, so\n# this option is only effective for configurations where either\n# env_reset is disabled or HOME is present in the env_keep list.\n#\nDefaults    always_set_home\nDefaults    match_group_by_gid\n\n# Prior to version 1.8.15, groups listed in sudoers that were not\n# found in the system group database were passed to the group\n# plugin, if any. Starting with 1.8.15, only groups of the form\n# %:group are resolved via the group plugin by default.\n# We enable always_query_group_plugin to restore old behavior.\n# Disable this option for new behavior.\nDefaults    always_query_group_plugin\n\nDefaults    env_reset\nDefaults    env_keep =  \"COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS\"\nDefaults    env_keep += \"MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\"\nDefaults    env_keep += \"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\"\nDefaults    env_keep += \"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\"\nDefaults    env_keep += \"LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\"\n\n#\n# Adding HOME to env_keep may enable a user to run unrestricted\n# commands via sudo.\n#\n# Defaults   env_keep += \"HOME\"\n\nDefaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin\n\n## Next comes the main part: which users can run what software on \n## which machines (the sudoers file can be shared between multiple\n## systems).\n## Syntax:\n##\n## \tuser\tMACHINE=COMMANDS\n##\n## The COMMANDS section may have other options added to it.\n##\n## Allow root to run any commands anywhere \nroot\tALL=(ALL) \tALL\n\n## Allows members of the 'sys' group to run networking, software, \n## service management apps and more.\n# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS\n\n## Allows people in group wheel to run all commands\n%wheel\tALL=(ALL)\tALL\n\n## Same thing without a password\n# %wheel\tALL=(ALL)\tNOPASSWD: ALL\n\n## Allows members of the users group to mount and unmount the \n## cdrom as root\n# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom\n\n## Allows members of the users group to shutdown this system\n# %users  localhost=/sbin/shutdown -h now\n\n## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)\n#includedir /etc/sudoers.d\n

## Sudoers allows particular users to run various commands as\n## the root user, without needing the root password.\n##\n## Examples are provided at the bottom of the file for collections\n## of related commands, which can then be delegated out to particular\n## users or groups.\n## \n## This file must be edited with the 'visudo' command.\n\n## Host Aliases\n## Groups of machines. You may prefer to use hostnames (perhaps using \n## wildcards for entire domains) or IP addresses instead.\n# Host_Alias     FILESERVERS = fs1, fs2\n# Host_Alias     MAILSERVERS = smtp, smtp2\n\n## User Aliases\n## These aren't often necessary, as you can use regular groups\n## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname \n## rather than USERALIAS\n# User_Alias ADMINS = jsmith, mikem\n\n\n## Command Aliases\n## These are groups of related commands...\n\n## Networking\n# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool\n\n## Installation and management of software\n# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum\n\n## Services\n# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable\n\n## Updating the locate database\n# Cmnd_Alias LOCATE = /usr/bin/updatedb\n\n## Storage\n# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount\n\n## Delegating permissions\n# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp \n\n## Processes\n# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall\n\n## Drivers\n# Cmnd_Alias DRIVERS = /sbin/modprobe\n\n# Defaults specification\n\n#\n# Refuse to run if unable to disable echo on the tty.\n#\nDefaults   !visiblepw\n\n#\n# Preserving HOME has security implications since many programs\n# use it when searching for configuration files. Note that HOME\n# is already set when the the env_reset option is enabled, so\n# this option is only effective for configurations where either\n# env_reset is disabled or HOME is present in the env_keep list.\n#\nDefaults    always_set_home\nDefaults    match_group_by_gid\n\n# Prior to version 1.8.15, groups listed in sudoers that were not\n# found in the system group database were passed to the group\n# plugin, if any. Starting with 1.8.15, only groups of the form\n# %:group are resolved via the group plugin by default.\n# We enable always_query_group_plugin to restore old behavior.\n# Disable this option for new behavior.\nDefaults    always_query_group_plugin\n\nDefaults    env_reset\nDefaults    env_keep =  \"COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS\"\nDefaults    env_keep += \"MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\"\nDefaults    env_keep += \"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\"\nDefaults    env_keep += \"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\"\nDefaults    env_keep += \"LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\"\n\n#\n# Adding HOME to env_keep may enable a user to run unrestricted\n# commands via sudo.\n#\n# Defaults   env_keep += \"HOME\"\n\nDefaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin\n\n## Next comes the main part: which users can run what software on \n## which machines (the sudoers file can be shared between multiple\n## systems).\n## Syntax:\n##\n## \tuser\tMACHINE=COMMANDS\n##\n## The COMMANDS section may have other options added to it.\n##\n## Allow root to run any commands anywhere \nroot\tALL=(ALL) \tALL\n\n## Allows members of the 'sys' group to run networking, software, \n## service management apps and more.\n# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS\n\n## Allows people in group wheel to run all commands\n%wheel\tALL=(ALL)\tALL\n\n## Same thing without a password\n# %wheel\tALL=(ALL)\tNOPASSWD: ALL\n\n## Allows members of the users group to mount and unmount the \n## cdrom as root\n# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom\n\n## Allows members of the users group to shutdown this system\n# %users  localhost=/sbin/shutdown -h now\n\n## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)\n@includedir /etc/sudoers.d\n

[glassfox]

HI, @robertdebock Can you reopen the issue, or would you prefer that I create a new one?