search

saz / puppet-sudo

Manage sudo with Puppet on Debian-, RedHat- and SUSE-based linux distributions and some BSDs
Other
105 stars 215 forks source link

visudo check may give false sense of syntax correctness #125

Closed somic closed 6 years ago

somic commented 9 years ago

Before https://github.com/saz/puppet-sudo/pull/99, visudo checked entire sudo config. In that PR it started checking just a single config file being added/modified.

Unfortunately, this may give a false sense of syntax correctness. For example, if your sudo::conf { 'foo': } redefines Cmnd_Alias that already is defined somewhere else, current file will pass visudo syntax checks but sudo config as a whole will be broken.

Maybe consider changing visudo exec to be what it used to be before PR 99 and add validate_cmd on File resource inside sudo::conf? I am not yet convinced it's the best way forward though.

saz commented 6 years ago

This is configurable in the current master.