This role configures sudo.
Requirements
This role is only supported on RHEL8+ and Fedora distributions. Consider reading sudo documentation before setting it up.
Collection requirements
The role requires external collections only for management of rpm-ostree
nodes. Please run the following command to install them if you need to manage
rpm-ostree nodes:
ansible-galaxy collection install -vv -r meta/collection-requirements.yml
Role Variables
The defaults defined for this role are based on a default RHEL8.4 /etc/sudoers configuration.
Check the defaults in defaults/main.yml prior to running for OS compatibility.
sudo_rewrite_default_sudoers_file
Use role default or user defined sudo_sudoers_files definition, replacing your distribution supplied /etc/sudoers file.
Useful when attempting to deploy new configuration files to the include_directories and you do not wish to modify the /etc/sudoers file.
Default: true
Type: bool
sudo_check_if_configured
This variable provides semantic check of already configured sudoers in case ansible setup is not needed and it is skipped.
Default: true
Type: bool
sudo_remove_unauthorized_included_files
Dangerous! Setting this to true removes each existing sudoers file in the include_directories dictionary that are not defined in thesudo_sudoers_files variable.
This allows for enforcing a desired state.
Default: false
Type: bool
sudo_visudo_path
Fully-qualified path to the visudo binary required for validation of sudoers configuration changes
Added for Operating System compatibility.
Default: /usr/bin/visudo
Type: string
sudo_transactional_update_reboot_ok
This variable is used to handle reboots required by transactional updates.
If a transactional update requires a reboot, the role will proceed with the
reboot if sudo_transactional_update_reboot_ok is set to true. If set
to false, the role will notify the user that a reboot is required, allowing
for custom handling of the reboot requirement. If this variable is not set,
the role will fail to ensure the reboot requirement is not overlooked.
Default: null
Type: bool
sudo_sudoers_files
A list that defines sudoers configurations.
For the default configuration, see defaults/main.yml.
Type: list
path
Where to deploy the configuration file to on the filesystem.
Type: string
aliases
A dictionary containing optional definition of User_Alias, Runas_Alias, Host_Alias, and Cmnd_Alias aliases.
This dictionary can be used to assign either user specifications or default overrides.
Available keys:
user_alias, requires setting a name with thenamestring and a list of users with theuserslist.runas_alias, requires setting a name with thenamestring and a list of users with theuserslist.host_alias, requires setting a name with thenamestring and a list of hosts with thehostslist.cmnd_alias, requires setting a name with thenamestring and a list of commands with thecommandslist.
Example definition:
sudo_sudoers_files: aliases: user_alias: - name: PINGERS users: - username runas_alias: - name: RUNAS users: - username cmnd_alias: - name: PING commands: - /usr/bin/ping cmnd_alias: - name: PING commands: - /usr/bin/ping
defaults
You can use this to define the defaults of sudoers configuration.
You can perform default overrides via the user_specifications key.
Type: list
include_files
Optional, a list of files that your configuration must include.
This is a list of fully-qualified paths to include via the #include option of a sudoers configuration.
Type: list
include_directories
Optional, a list of directories that your configurations must include.
This is a list of fully-qualified paths to directories to include via the #includedir option of a sudoers configuration.
Type: list
user_specifications
You can use this list variable to apply user specifications to a sudoers file configuration.
Supported entries:
-
users- List of users to apply the specification to. You can use auser_aliasname as well as user names. -
hosts- List of hosts to apply the specification to. You can use a definedhost_aliasname as well as host names. -
operators- List of operators to apply the specification to. You can use a definedrunas_aliasname as well as user names. -
selinux_role- Optional selinux role to apply to the specification. NOTE - only a single value is supported. However, due to historical reasons, the value can be a list - if a list is given, only the first value is used. Please use astringvalue. -
selinux_type- Optional selinux type to apply to the specification. NOTE - only a single value is supported. However, due to historical reasons, the value can be a list - if a list is given, only the first value is used. Please use astringvalue. -
solaris_privs- Optional Solaris privset to apply to the specification. -
solaris_limitprivs- Optional Solaris privset to apply to the specification. -
tags- Optional list of tags to apply to the specification. -
commands- List of commands to apply the specification to. You can use a definedcmnd_aliasname as well as commands.
Example definition:
sudo_sudoers_files: - path: /etc/sudoers.d/pingers user_specifications: - users: - root hosts: - ALL operators: - ALL commands: - ALL - users: - "%wheel" hosts: - ALL operators: - ALL commands: - ALL selinux_role: sysadm_r selinux_type: sysadm_t
default_overrides
You can use this list variable to apply Default Override user_specifications to a sudoers file configuration.
Supported entries:
-
defaults- List of defaults to override from the main configuration. -
type- Type of default to override, this affects the operator in the configuration ( host ->@, user ->:, command ->!, and runas ->>). The type field can be one of the following values:command,host,runas, oruser. -
commands- Use whentype: command. List ofcmnd_aliasnames as well as commands to override specific default values. -
hosts- Use whentype: host. List ofhost_aliasnames as well as individual host names to override specific default values. -
operators- Use whentype: runas. List ofrunas_aliasnames as well as individual user names to override specific default values. -
users- Use whentype: user. List ofuser_aliasnames as well as individual user names to override specific default values.
Example Definition:
sudo_sudoers_files: - path: /etc/sudoers.d/pingers default_overrides: - type: user defaults: - "!requiretty" users: - PINGERS - type: runas defaults: - "!set_logname" operators: - root - type: host defaults: - "!requiretty" - "!requiretty" hosts: - host1 - host2 - type: command defaults: - "!requiretty" commands: - /usr/bin/ls
Example Playbooks
Applying a RHEL Default /etc/sudoers configuration
--- - name: Apply a RHEL Default /etc/sudoers configuration hosts: all roles: - role: linux-system-roles.sudo
Applying custom /etc/sudoers configuration
--- - name: Apply a custom /etc/sudoers configuration hosts: all vars: sudoers_files: - path: /etc/sudoers user_specifications: - users: - root hosts: - x commands: - /usr/bin/ls roles: - role: linux-system-roles.sudo
Applying defaults
--- - name: Apply defaults hosts: all vars: sudoers_files: - path: /etc/sudoers defaults: - "!visiblepw" - always_set_home - match_group_by_gid - always_query_group_plugin - env_reset - secure_path: - /sbin - /bin - /usr/sbin - /usr/bin - env_keep: - COLORS - DISPLAY - HOSTNAME - HISTSIZE - KDEDIR - LS_COLORS - MAIL - PS1 - PS2 - QTDIR - USERNAME - LANG - LC_ADDRESS - LC_CTYPE - LC_COLLATE - LC_IDENTIFICATION - LC_MEASUREMENT - LC_MESSAGES - LC_MONETARY - LC_NAME - LC_NUMERIC - LC_PAPER - LC_TELEPHONE - LC_TIME - LC_ALL - LANGUAGE - LINGUAS - _XKB_CHARSET - XAUTHORITY user_specifications: - users: - root hosts: - ALL operators: - ALL commands: - ALL - users: - "%wheel" hosts: - ALL operators: - ALL commands: - ALL include_directories: - /etc/sudoers.d roles: - role: linux-system-roles.sudo
Applying a multi-file sudoers configuration
--- - name: Apply a multi-file sudoers configuration hosts: all tasks: - name: Configure /etc/sudoers and included files include_role: name: linux-system-roles.sudo vars: sudo_rewrite_default_sudoers_file: true sudo_remove_unauthorized_included_files: true sudo_sudoers_files: - path: /etc/sudoers defaults: - "!visiblepw" - always_set_home - match_group_by_gid - always_query_group_plugin - env_reset - secure_path: - /sbin - /bin - /usr/sbin - /usr/bin - env_keep: - COLORS - DISPLAY - HOSTNAME - HISTSIZE - KDEDIR - LS_COLORS - MAIL - PS1 - PS2 - QTDIR - USERNAME - LANG - LC_ADDRESS - LC_CTYPE - LC_COLLATE - LC_IDENTIFICATION - LC_MEASUREMENT - LC_MESSAGES - LC_MONETARY - LC_NAME - LC_NUMERIC - LC_PAPER - LC_TELEPHONE - LC_TIME - LC_ALL - LANGUAGE - LINGUAS - _XKB_CHARSET - XAUTHORITY user_specifications: - users: - root hosts: - ALL operators: - ALL commands: - ALL - users: - "%wheel" hosts: - ALL operators: - ALL commands: - ALL include_directories: - /etc/sudoers.d aliases: cmnd_alias: - name: PING commands: - /usr/bin/ping user_alias: - name: PINGERS users: - username - path: /etc/sudoers.d/pingers user_specifications: - type: user defaults: - "!requiretty" users: - PINGERS - path: /etc/sudoers.d/root defaults: - syslog=auth user_specifications: - type: runas defaults: - "!set_logname" operators: - root
rpm-ostree
See README-ostree.md
License
MIT
Based on Ansible-sudoers.
