saz
commented
1 month ago I don't understand what makes you think that validate_single isn't checking only one file? For me, everything's looking correct with both options.
If validate_single is set to true, it will run visudo -c -f % as validate_cmd off the file resource which manages the file.
Before that all sudoers files were checked for syntax and when an application would have created a suders file with a permission/syntax error the file managed by puppet would be deleted. But the file managed by puppet would not have a syntax error. This could also occur if an application creates a file with permission 0400 instead of 0440 which is demanded by visudo. Removed delete_on_error: Now puppet will not create the file if it has a syntax error by default. Before that, syntax / permission errors in other files would also lead to deletion or error which makes no sense. Removed validate_single: Previously all files were always validated no matter which value validate_single had. This makes no sense, so remove parameter. Removed conf parameter sudo_syntax_path as the exec that used it was removed. Validation is now only via validate_cmd of the puppet file resource.