Skip to content

check one file for syntax and rm params fixes #223 #302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tdlc wants to merge 1 commit into
base: master
Choose a base branch
from
Open

check one file for syntax and rm params fixes #223 #302

tdlc wants to merge 1 commit into from

Conversation

@tdlc
Copy link

@tdlc tdlc commented Apr 26, 2024

Before that all sudoers files were checked for
syntax and when an application would have
created a suders file with a permission/syntax
error the file managed by puppet would be deleted. But the file managed by puppet would not have a
syntax error.
This could also occur if an application creates
a file with permission 0400 instead of 0440 which
is demanded by visudo.
Removed delete_on_error: Now puppet will not
create the file if it has a syntax error by
default. Before that, syntax / permission
errors in other files would also lead to
deletion or error which makes no sense.
Removed validate_single: Previously all
files were always validated no matter which
value validate_single had. This makes no
sense, so remove parameter.
Removed conf parameter sudo_syntax_path as
the exec that used it was removed. Validation
is now only via validate_cmd of the puppet
file resource.

@saz saz force-pushed the v8.0.0visudofix branch from 4626feb to 11329df Compare May 13, 2024 16:02
@saz
Copy link
Owner

saz commented May 13, 2024

I don't understand what makes you think that validate_single isn't checking only one file? For me, everything's looking correct with both options.

If validate_single is set to true, it will run visudo -c -f % as validate_cmd off the file resource which manages the file.

@tdlc
check one file for syntax and rm params fixes saz#223
4e1551e 
Before that all sudoers files were checked for
syntax and when an application would have
created a suders file with a permission/syntax
error the file managed by puppet would be deleted.
But the file managed by puppet would not have a
syntax error.
This could also occur if an application creates
a file with permission 0400 instead of 0440 which
is demanded by visudo.
Removed delete_on_error: Now puppet will not
create the file if it has a syntax error by
default. Before that, syntax / permission
errors in other files would also lead to
deletion or error which makes no sense.
Removed validate_single: Previously all
files were always validated no matter which
value validate_single had. This makes no
sense, so remove parameter.
Removed conf parameter sudo_syntax_path as
the exec that used it was removed. Validation
is now only via validate_cmd of the puppet
file resource.
@tdlc tdlc force-pushed the v8.0.0visudofix branch from 11329df to 4e1551e Compare May 21, 2024 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tdlc @saz