Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role leads to doubled inclusion of the sudoers_dropin_dir #9

Open
fapdash opened this issue Apr 19, 2023 · 2 comments
Open

Role leads to doubled inclusion of the sudoers_dropin_dir #9

fapdash opened this issue Apr 19, 2023 · 2 comments

Comments

@fapdash
Copy link

fapdash commented Apr 19, 2023

On newer sudo versions the default inclusion statement is @includedir instead of #includedir. After running the role the directory gets included a second time:

@includedir /etc/sudoers.d
#includedir /etc/sudoers.d

This leads to annoying warnings in the terminal when aliases get defined:

/etc/sudoers.d/commands:1:382: Alias "SOMETHING_COMMANDS" already defined

Reference:

It is possible to include other sudoers files from within the sudoers file currently being parsed using the @include and @includedir directives. For compatibility with sudo versions prior to 1.9.1, #include and #includedir are also accepted.

https://www.sudo.ws/docs/man/sudoers.man/#Including_other_files_from_within_sudoers
fapdash added a commit to fapdash/ansible-sudoers that referenced this issue Apr 19, 2023
@fapdash
Handle new syntex for includedir statement
34b4034 
On newer sudo versions the default inclusion statement is
`@includedir` instead of `#includedir`. After running the role the
directory gets included a second time:

```
@includedir /etc/sudoers.d
```

For compatibility reasons I didn't change the `line` value so on newer
installations the `@includedir` will be replaced by the old syntax.

Reference:

> It is possible to include other sudoers files from within the -->

https://www.sudo.ws/docs/man/sudoers.man/#Including_other_files_from_within_sudoers

fixes andrewrothstein#9
@fapdash fapdash mentioned this issue Apr 19, 2023
Closed
@andrewrothstein
Copy link
Owner

I incorporated ur suggestion into v1.1.0 that I just published to the galaxy. Can take a peek and lmk if it works for u?

@fapdash
Copy link
Author

fapdash commented May 14, 2023

Doesn't seem to work. :(

ansible-sudoers/tasks/main.yml

Lines 39 to 53 in b8524d5

- name: 'ensure sudoers dropin directory is #includedir-ed'
become: true
become_user: root
lineinfile:
dest: '{{ sudoers_cfg_file }}'
regexp: '^#includedir\s+{{ sudoers_dropin_dir }}'
line: '#includedir {{ sudoers_dropin_dir }}'
- name: ensure sudoers dropin directory is @includedir-ed
become: true
become_user: root
lineinfile:
dest: '{{ sudoers_cfg_file }}'
regexp: '^@includedir\s+{{ sudoers_dropin_dir }}'
line: '@includedir {{ sudoers_dropin_dir }}'

This still adds the #include line if @include is already defined. It now also adds the @include line, even if the #include line is already present. The include should only happen once.

I think a good way to go about that would be:

  1. check if the #include line is present, don't add the line if it's not present
  2. register if the #include line is present
  3. check if the @include line is present, only if the #include line is missing (check via register var). add the @include line if it's missing.

But I'm not sure how to do step 1. lineinfile doesn't allow for checking if a line is present without changing the file?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle new syntex for includedir statement fapdash/ansible-sudoers
2 participants
@fapdash @andrewrothstein