Closed noelmcloughlin closed 3 years ago
Selfie-merging as no reviewers/codeowners available and open 10 days
:tada: This PR is included in version 0.25.0 :tada:
The release is available on GitHub release
Your semantic-release bot :package::rocket:
Thanks, @noelmcloughlin.
Reviewed and standardised in 9ea8e3ddce2ebab4d5b1f286d9fceba6eb1734e7 (using https://github.com/myii/ssf-formula/pull/363):
appended
suite for all platforms._mapdata
verification files.What a big PR I would have liked to review if I had been 'ping'-ed.
I'm not sure but I have the feeling that a complete new state and a complete new test suite is overkill, but I may be wrong and it could be that it's the only solution.
What a big PR I would have liked to review if I had been 'ping'-ed.
I'm not sure but I have the feeling that a complete new state and a complete new test suite is overkill, but I may be wrong and it could be that it's the only solution.
@daks If you'd like to get pinged for PRs here, would you consider being added as a code owner?
It is actually a small PR, adding state + true/false flag and false by default. But we have extensive CI hooks so about 60 files need updates for CI to pass.
@noelmcloughlin I don't call a 60 modified files PR a small one, but YMMV :) (for salt formulas at least)
I took a moment to re-read quietly:
sudoers/included.sls
to sudoers/included/install.sls
which I don't see the point but OK (maybe later other states in included
could be necessary)_mapdata
verification step, not useful for the feature itself but it's verificationIn reality seems quite fine :)
I finally understand the purpose of this PR.
Standard sudo configuration is to have #includedir /etc/sudoers.d
at the end of /etc/sudoers
file and then rely on correct ordering for included infiles present in /etc/sudoers
, like for example using 01
, 02
prefixes for filenames. (see https://unix.stackexchange.com/questions/423294/are-the-files-in-etc-sudoers-d-read-in-a-particular-order)
What you added is the possibility to specify the include order directly in main file, without managing this file.
In my point of view, if you manage the data provided to the formula to create the included files (with pillar or anything else) you also can manage the name you give to those files, and you can order them. Without this new feature.
With all respect @noelmcloughlin , I am doubtful about the usefulness of this feature. Could you give us more details?
With all respect @noelmcloughlin , I am doubtful about the usefulness of this feature. Could you give us more details?
I wanted to append config to a system deployed by someone else with a /etc/sudoers
file that was unconventional & not best practice. My additions to /etc/sudoers.d
were blocked by lines appended to bottom of /etc/sudoers
during system provisioning and this PR was only solution to force my addition to be applied last. If I controlled /etc/sudoers
I would not have the problem and PR would not be useful, but I did not control that file (and did not want to). The feature is not useful for anyone else probably so is off by default.
OK, but couldn't you just change the filenames deployed to /etc/sudoers.d
? This is the way to do it not modifying /etc/sudoers
(that's what I think at least)
I think I understand your problem and I see it's really specific. I'm not really sure all this code (code/tests/doc/test suite) which has to be maintained was worth to be added for this very very specific setup.
This now has been merged and you need it, so let it stay here.
Its not about filenames. Adding files to /etc/sudoers.d
is only guaranteed to work in two situations:
#include /etc/sudoers.d
has precedence in /etc/sudoers
file (last entry)
OR #include /etc/sudoers.d
do not mask /etc/sudoers.d
configuration.If both statements are false, this PR is only solution.
I'm not sure I understand, but on every Linux distribution I saw default /etc/sudoers
has the line #include /etc/sudoers.d
at the end of the file, so you can always override any values in this file with a file in /etc/sudoers.d
.
And in this directory, it's when the filenames are important to evaluate them.
What I mean is: if you have no control over /etc/sudoers
main file but you have control over /etc/sudoers.d
files, enforcing that the line #includedir /etc/sudoers.d
is at the end of the main file is sufficient, no need to enforce each one of the files. (if you choose carefully the filenames in this directory of course).
I have no control over /etc/sudoers and there is no guarantee #includedir /etc/sudoers.d will ever appear at the end of that file. On vanilla linux yes. On a security hardened system, that line is rarely the last entry in the main file. The PR is necessary when those additional entries mask /etc/sudoers.d feature and block my configuration, perhaps unintentionally.
On Mon, Sep 20, 2021 at 3:21 PM Éric Veiras Galisson < @.***> wrote:
What I mean is: if you have no control over /etc/sudoers main file but you have control over /etc/sudoers.d files, enforcing that the line #includedir /etc/sudoers.d is at the end of the main file is sufficient, no need to enforce each one of the files. (if you choose carefully the filenames in this directory of course).
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/saltstack-formulas/sudoers-formula/pull/78#issuecomment-922974274, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADFUUQTRYCUZKP2SAZDEKUTUC47NBANCNFSM5CNAVPIQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
PR progress checklist (to be filled in by reviewers)
What type of PR is this?
Primary type
[build]
Changes related to the build system[chore]
Changes to the build process or auxiliary tools and libraries such as documentation generation[ci]
Changes to the continuous integration configuration[feat]
A new feature[fix]
A bug fix[perf]
A code change that improves performance[refactor]
A code change that neither fixes a bug nor adds a feature[revert]
A change used to revert a previous commit[style]
Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)Secondary type
[docs]
Documentation changes[test]
Adding missing or correcting existing testsDoes this PR introduce a
BREAKING CHANGE
?No.
Related issues and/or pull requests
Describe the changes you're proposing
This PR covers the scenario where included files are not being applied because the main config (i.e. /etc/sudoers) has entries inserted after the "
#includedir /etc/sudoers.d
" line, changing the expected outcome of adding our "included files":The sudoers man page says the last match wins. To guarantee the matching of our "included files" this PR is an option to append these to the end of /etc/sudoers and add CI tests to confirm changes are applied:
Pillar / config required to test the proposed changes
Debug log showing how the proposed changes work
Documentation checklist
README
(e.g.Available states
).pillar.example
.Testing checklist
state_top
).Additional context