Set up sudo

Table of Contents

Setting up sudo is straightforward, we recommend managing it by copying trusted files from a repository. The following bundle will copy a master sudoers file to /etc/sudoers (/tmp/sudoers in this example - change it to /etc/sudoers to use in production).

body common control
{
bundlesequence => { "sudoers" };
inputs => { "libraries/cfengine_stdlib.cf" };
}


bundle agent sudoers
{

# Define the master location of the sudoers file
vars:

  "master_location" string => "/var/cfengine/masterfiles";


# Copy the master sudoers file to /etc/sudoers
files:

  "/tmp/sudoers"  # change to /etc/sudoers to use in production

     comment => "Make sure the sudo configuration is secure and up to date",
       perms => mog("440","root","root"),
   copy_from => secure_cp("$(master_location)/sudoers","$(sys.policy_hub)");

}

We recommend editing the master sudoers file using visudo or a similar tool. It is possible to use CFEngine's file editing capabilities to edit sudoers directly, but this does not guarantee syntax correctness and you might end up locked out.

Example run:

# cf-agent -f temp.cf -KI
2013-06-08T19:13:21-0700     info: This agent is bootstrapped to '192.168.183.208'
2013-06-08T19:13:22-0700     info: Running full policy integrity checks
2013-06-08T19:13:23-0700     info: Copying from '192.168.183.208:/var/cfengine/masterfiles/sudoers'
2013-06-08T19:13:23-0700     info: /sudoers/files/'/tmp/sudoers': Object '/tmp/sudoers' had permission 0600, changed it to 0440
#

For reference we include an example of a simple sudoers file:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#

Defaults        env_reset

# User privilege specification
root    ALL=(ALL) ALL

# Allow members of group sudo to execute any command after they have
# provided their password
%sudo ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
john  ALL=(ALL)       ALL