Manage sudo privileges

Managing sudo on your agents allows you to control which system users have access to elevated privileges. This guide helps you get started managing sudo privileges across your nodes, using a module from the Puppet Forge in conjunction with a simple module you write.

Before you begin

Before starting this walk-through, complete the previous exercises.

Ensure you’ve already installed Puppet, and at least one *nix agent. Also, log in as root or Administrator on your nodes.

Using this guide, you learn how to:

  • Install the saz-sudo module as the foundation for managing sudo privileges.

  • Write a module that contains a class called privileges to manage a resource that sets privileges for certain users.

  • Add classes from the privileges and sudo modules to your agents.

Note: You can add the sudo and privileges classes to as many agents as needed. For simplicity, this guide describes only one.
  1. Start by installing the saz-sudo module. It's available on the Forge, and is one of many modules written by a member of the Puppet user community. You can learn more about the module at forge.puppet.com/saz/sudo. To install the saz-sudo module, run the following command on the primary server:
    puppet module install saz-sudo
    The resulting output is similar to this:
    Preparing to install into /etc/puppetlabs/code/environments/production/modules …
    Notice: Downloading from http://forgeapi.puppetlabs.com ...
        Notice: Installing -- do not interrupt ...
        /etc/puppetlabs/puppet/modules
        └── saz-sudo (v2.3.6)
              └── puppetlabs-stdlib (3.2.2) [/opt/puppet/share/puppet/modules]
    That’s it! You’ve installed the saz-sudo module.
  2. Next, you'll create a module that contains the privileges class.

    Like in the DNS exercise, this is a small module with just one class. You'll create the privileges module directory, its manifests subdirectory, and an init.pp manifest file that contains the privileges class.

    1. From the command line on the primary server, navigate to the modules directory:
      cd /etc/puppetlabs/code/environments/production/modules
    2. Create the module directory and its manifests directory:
      mkdir -p privileges/manifests
    3. In the manifests directory, use your text editor to create the init.pp file, and edit it so it contains the following Puppet code:
      class privileges {
      
         sudo::conf { 'admins':
         ensure  => present,
         content => '%admin ALL=(ALL) ALL',
         }
      
       }

      The sudo::conf 'admins' line creates a sudoers rule that ensures that members of the admins group have the ability to run any command using sudo. This resource creates a configuration fragment file to define this rule in /etc/sudoers.d/. It's called something like 10_admins.

    4. Save and exit the file.

      That’s it! You’ve created a module that contains a class that, after it's applied, ensures that your agents have the correct sudo privileges set for the root user and the admins and wheel groups.

  3. Next, add the privileges and sudo classes to default nodes.
    1. From the command line on the primary server, navigate to the main manifest:
      cd /etc/puppetlabs/code/environments/production/manifests
    2. Open site.pp with your text editor and add the following Puppet code to the default node:
      class { 'sudo': }
      sudo::conf { 'web':
        content  => "web ALL=(ALL) NOPASSWD: ALL",
      }
      class { 'privileges': }
      sudo::conf { 'jargyle':
        priority => 60,
        content  => "jargyle ALL=(ALL) NOPASSWD: ALL",
      }

      The sudo::conf ‘web’ line creates a sudoers rule to ensure that members of the web group can run any command using sudo. This resource creates a configuration fragment file to define this rule in /etc/sudoers.d/.

      The sudo::conf ‘jargyle’ line creates a sudoers rule to ensure that the user jargyle can run any command using sudo. This resource creates a configuration fragment to define this rule in /etc/sudoers.d/. It's called something like 60_jargyle.

    3. Save and exit the file.
    4. On your primary server, ensure that there are no errors:
      puppet parser validate site.pp

      The parser returns nothing if there are no errors.

    5. From the command line on your agent, run Puppet: puppet agent -t

      That’s it! You have successfully applied sudo and privileges classes to nodes.

    6. To confirm it worked, run the following command on an agent:
      sudo -l -U jargyle
      The results resemble the following:
       Matching Defaults entries for jargyle on this host:
      !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
      INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
      LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
      env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
      LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
      secure_path=/usr/local/bin\:/sbin\:/bin\:/usr/sbin\:/usr/bin
      
       User jargyle may run the following commands on this host:
      (ALL) NOPASSWD: ALL
Results

For more information about working with Puppet and sudo users, see our Module of The Week: saz/sudo - Manage sudo configuration blog post.

Puppet offers many opportunities for learning and training, from formal certification courses to guided online lessons. See the Learning Puppet page for more information.