tacerus
commented
7 months ago It seems this was already attempted to be tackled in https://github.com/saltstack-formulas/sudoers-formula/pull/67 some years ago but without a conclusion.
Open tacerus opened 7 months ago
tacerus
commented
7 months ago It seems this was already attempted to be tackled in https://github.com/saltstack-formulas/sudoers-formula/pull/67 some years ago but without a conclusion.
daks
commented
7 months ago @tacerus the idea was to change the implementation to use lists instead of a dict to preserve the rules order. And introduce a BREAKING CHANGE. But in fact no implementation was made
Don't hesitate to try to re-implement it, even starting from the previous PR if it's still applicable. Don't hesitate to seek help from other formulas maintainers/users (see salt community slack and #formulas channel). (I'm myself no longer active on salt right now)
tacerus
commented
7 months ago Hi, thanks for getting back.
I think the patch in https://github.com/saltstack-formulas/sudoers-formula/pull/67 is perfectly reasonable. The pillar in Salt is stored as OrderedDict these days, making .items() reasonably idempotent. Only when new lines are introduced, existing ones might be slightly reordered.
Your setup
Formula commit hash / release tag
Versions reports (master & minion)
Pillar / config used
Bug details
Describe the bug
Currently, rules are run through
dictsort, which causes issues with users/groups which match multiple rules. Sudo takes the last matching rule - which may not always be desirable - for example if one wants to haveNOPASSWDfor a specific command take priority over a general password enforced rule.Example:
Returns:
It should be vice versa, as now, for users who are in both groups (
wheelandhypervisor.cluster-admins) theNOPASSWDrule never matches, as thewheelrule takes priority.I'm not sure if just removing
dictsortis the right solution either though, I think it requires some other logic.Steps to reproduce the bug
Expected behaviour
Attempts to fix the bug
Additional context