Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set does not support negating a node in /etc/sudoers #81

Open
robertlich opened this issue Jun 28, 2024 · 2 comments
Open

Set does not support negating a node in /etc/sudoers #81

robertlich opened this issue Jun 28, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@robertlich
Copy link

Describe the Bug

Running this block to configure my sudo_accounts
augeas { 'sudo_accounts': context => '/files/etc/sudoers', changes => [ #Create a command alias for switching a user "set Cmnd_Alias/alias/name ELEVATING", "set Cmnd_Alias/alias/command[1] /bin/su", "set Cmnd_Alias/alias/command[2] /bin/usr/su", "set spec[user = '%wheel']/user %wheel", #Allow the wheel group to run all commands without a password, excepting the ELEVATING commands "set spec[user = '%wheel']/host_group/host ALL", "set spec[user = '%wheel']/host_group/command[1] ALL", "set spec[user = '%wheel']/host_group/command[1]/runas_user ALL", "set spec[user = '%wheel']/host_group/command[1]/tag NOPASSWD", "set spec[user = '%wheel']/host_group/command[2] ELEVATING", **"set spec[user = '%wheel']/host_group/command[2]/negate"],** "clear spec[user = '%wheel']/host_group/command[2]/negate"], onlyif => "match spec/user[.='%wheel'][../host_group/command/tag='NOPASSWD'] size == 0", }
Results in an error that I am missing the second argument for set.

Expected Behavior

Using the same augtool executable to run:

set /files/etc/sudoers/spec[3]/host_group/command/negate

Will result in the command on that line being negated.

In this particular example it turns:

%wheel ALL=(ALL) NOPASSWD : ALL , ELEVATING
=>
%wheel ALL=(ALL) NOPASSWD : ALL , !ELEVATING

Notably if I were to try to just use:

"set spec[user = '%wheel']/host_group/command[2] !ELEVATING",

in the puppet code above, that also fails. So I'm left with no options for set to negate a command in the sudoers file, which doesn't match the actual behaviour of augtool.

I am able to get around this by using:

"clear spec[user = '%wheel']/host_group/command[2]/negate"

But that's a little unintuitive.

Steps to Reproduce

I have provided the steps to reproduce as part of the above.

Environment

  • Puppet v7.30.0
  • augtool 1.14.1
  • Rocky 8.9
  • having a hard time determining what version of puppetlabs-augeas_core is in this version of puppet
@robertlich robertlich added the bug Something isn't working label Jun 28, 2024
@AriaXLi
Copy link
Contributor

AriaXLi commented Oct 29, 2024

@robertlich Thank you for filing this issue. Is it possible you're running with system augtool and perhaps it is using a different set of lenses than we ship in puppet-agent?

@robertlich
Copy link
Author

@robertlich Thank you for filing this issue. Is it possible you're running with system augtool and perhaps it is using a different set of lenses than we ship in puppet-agent?

I don't _ think _ so, we don't have augtool installed elsewhere on the system that I could find.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AriaXLi @robertlich