[chef] RE: Re: Chef's sudo cookbook and the passwordless access


Chronological Thread 
  • From: Nico Kadel-Garcia < >
  • To: " " < >
  • Subject: [chef] RE: Re: Chef's sudo cookbook and the passwordless access
  • Date: Tue, 31 Mar 2015 12:54:30 -0500
  • Accept-language: en-US
  • Acceptlanguage: en-US

This is actually a safer way to avoid the big problem with the ‘sudo’ cookbook, where “NOPASSWD” access is binary: either all access requires passwords, or none. Inkdividually generated, local configs can be far more sophisticated than the cookbook currently supports.

 

It’s unfortunately vulnerable to syntax errors in your added config files breaking sudo altogether, and would benefit from a rollback procedure for broken changes or a big, big warning that “help, I just broke sudo, stop now!!!!” by running a “sudo –I –u root /bin/pwd’ or similar innocuous command after deployment.

 

And please, don’t forget to clear away *old* files that are not managed by your cookbook, or which you no longer elect to publish.

 

Nico Kadel-Garcia

Lead DevOps Engineer

">

 

 

From: tayworm . [mailto:
Sent: Friday, March 13, 2015 4:03 PM
To:
Subject: [chef] Re: Chef's sudo cookbook and the passwordless access

 

A better way to use the cookbook would be to create files in sudoers.d for each entry. https://github.com/opscode-cookbooks/sudo#lwrp

 

On Fri, Mar 13, 2015 at 8:52 AM, Jimmy Huang < " target="_blank"> > wrote:

Hi,

 

I am trying to figure out how best to use the sudo cookbook.  My cookbook is called masterwrap.

 

Berkesfile:

 

 

masterwrap/metadata.rb:

 

name             'masterwrap'
maintainer       'The Authors'
maintainer_email ' " target="_blank"> '
license          'all_rights'
description      'Installs/Configures masterwrap'
long_description 'Installs/Configures masterwrap'
version          '0.1.0'

depends 'git', '~> 4.1.0'
depends 'sudo', '~> 2.7.1'
depends 'users', '~> 1.8.0'

 

masterwrap/recipes/default.rb:

 

#
# Cookbook Name:: masterwrap
# Recipe:: default
#
# Copyright (c) 2015 The Authors, All Rights Reserved.

include_recipe 'git'
include_recipe 'masterwrap::users'

 

masterwrap/recipes/users.rb:

 

#
# Cookbook Name:: masterwrap
# Recipe:: users
#
# Copyright (c) 2015 The Authors, All Rights Reserved.

include_recipe 'sudo'
include_recipe 'users'

%w(deploy sysadmin)
.each do |group|
 
users_manage group do
   
data_bag 'users'
   
action [ :remove, :create ]
 
end
end

sudo 'sysadmin' do
 
group '%sysadmin'
 
nopasswd false
end

 

If I converge at this point, my vagrant user would stop having passwordless sudo access.  To make sure that does not happen, I have the following masterwrap/.kitchen.yml file:

 

---
driver:
  name:
vagrant

provisioner:
  name:
chef_zero

platforms:
 
- name: ubuntu1404
   
driver:
      box:
ubuntu/trusty64
     
box_url: ubuntu/trusty64
   
attributes:
      authorization:
        sudo:
          users:
['vagrant']
         
passwordless: true
         
include_sudoers_d: true

suites:
 
- name: default
   
data_bags_path: 'test/fixtures/data_bags'
   
run_list:
     
- recipe[masterwrap::default]
   
attributes:

The problem is that I DO want a password prompt for my sudo access for non-vagrant users, but I am not sure how to go about achieving that.  Here is my current /etc/sudoers file after the converge:

 

# This file is managed by Chef.

# Do NOT modify this file directly.

Defaults      !lecture,tty_tickets,!fqdn

# User privilege specification

root          ALL=(ALL) ALL

vagrant ALL=(ALL) NOPASSWD:ALL

# Members of the group 'sysadmin' may gain root privileges

%sysadmin ALL=(ALL) NOPASSWD:ALL

===

 

Given the node's structure, I think the sudo cookbook assumes everyone who is granted sudo access via the cookbook will want the same setting for passwordless, which is not the desired outcome in my case.  Is there a way around this assumption or a better way for me to use the sudo cookbook?  Thank you for your help.

 

Sincerely,

Jimmy 

 




Archive powered by MHonArc 2.6.16.

§