search

saz / puppet-sudo

Manage sudo with Puppet on Debian-, RedHat- and SUSE-based linux distributions and some BSDs
Other
107 stars 215 forks source link

Group names with space #262

Closed joneswac closed 1 month ago

joneswac commented 3 years ago

Version: saz-sudo (v6.0.0)

This issue affects Active Directory (or other LDAP) joined machines.

When setting a config with content that includes a group name with space in it there is a parsing error during the Puppet run. Example code:

  'space-group':
    content: "%group\ with\ space     ALL=(ALL)   ALL"
    priority: 20

Puppet run error

Notice: /Stage[main]/Sudo/Sudo::Conf[space-group]/Exec[sudo-syntax-check for file/etc/sudoers.d/20_space-group]/returns: parse error in /etc/sudoers.d/20_space-group near line 2

The content portion of this works in RHEL/CentOS 7 -- I'm not sure if that's a caveat to those OSes or standard Linux. Here's a forum from RedHat where I found this answer. https://access.redhat.com/discussions/2950661

zilchms commented 3 years ago

Can you specify on what OS your agent is running into this issue? Helps me trying to replicate this.

joneswac commented 3 years ago

The issue was experienced on CentOS Linux release 7.9.2009 (Core); if it matters Puppet agent version 5.5.22.

saz commented 3 years ago

I don't see a good way to solve this issue. content is just a string. I don't see any way to escape just the group part within it.

joneswac commented 3 years ago

I don't see where the error is coming from. visudo -c comes back clean when I check the configuration, and if the string from content is just filled into a text file under sudoers.d, where is it being parsed?

zilchms commented 3 years ago

If I read this correctly it starts somewhere around here: https://github.com/saz/puppet-sudo/blob/f3cecf49ecde3dd81269a0c20cc6b68fcc212c34/manifests/conf.pp#L105 Resulting in: https://github.com/saz/puppet-sudo/blob/f3cecf49ecde3dd81269a0c20cc6b68fcc212c34/manifests/conf.pp#L139 beeing called. Can you manually try to replicate the full check with the "||" and the part after? Though I dont see, why that should be an issue, since manually calling visudo -c seems to work for you. Edit: I am also not sure with delete_cmd command gets called on your end. Havent come around to setting up a fitting testenv for this on my end (sorry)

saz commented 1 month ago

I'm trying to clean up issues and as this issue is pretty old and not much activity is happening here, I'll close it.

Feel free to open it again, if needed.