Hi,

I am trying to figure out how best to use the sudo cookbook. My cookbook
is called masterwrap.

Berkesfile:

source “https://supermarket.chef.io”

metadata

masterwrap/metadata.rb:

name 'masterwrap’
maintainer 'The Authors’
maintainer_email 'you@example.com’
license 'all_rights’
description 'Installs/Configures masterwrap’
long_description 'Installs/Configures masterwrap’
version ‘0.1.0’

depends ‘git’, '~> 4.1.0’
depends ‘sudo’, '~> 2.7.1’
depends ‘users’, ‘~> 1.8.0’

masterwrap/recipes/default.rb:

Cookbook Name:: masterwrap

Recipe:: default

Copyright © 2015 The Authors, All Rights Reserved.

include_recipe 'git’
include_recipe ‘masterwrap::users’

masterwrap/recipes/users.rb:

Cookbook Name:: masterwrap

Recipe:: users

Copyright © 2015 The Authors, All Rights Reserved.

include_recipe 'sudo’
include_recipe ‘users’

%w(deploy sysadmin).each do |group|
users_manage group do
data_bag 'users’
action [ :remove, :create ]
end
end

sudo ‘sysadmin’ do
group '%sysadmin’
nopasswd false
end

If I converge at this point, my vagrant user would stop having passwordless
sudo access. To make sure that does not happen, I have the following
masterwrap/.kitchen.yml file:

driver:
name: vagrant

provisioner:
name: chef_zero

platforms:

• name: ubuntu1404
  driver:
  box: ubuntu/trusty64
  box_url: ubuntu/trusty64
  attributes:
  authorization:
  sudo:
  users: [‘vagrant’]
  passwordless: true
  include_sudoers_d: true

suites:

• name: default
  data_bags_path: 'test/fixtures/data_bags’
  run_list:
  • recipe[masterwrap::default]
    attributes:

The problem is that I DO want a password prompt for my sudo access for
non-vagrant users, but I am not sure how to go about achieving that. Here
is my current /etc/sudoers file after the converge:

This file is managed by Chef.

Do NOT modify this file directly.

Defaults !lecture,tty_tickets,!fqdn

User privilege specification

root ALL=(ALL) ALL

vagrant ALL=(ALL) NOPASSWD:ALL

Members of the group ‘sysadmin’ may gain root privileges

%sysadmin ALL=(ALL) NOPASSWD:ALL

Given the node’s structure, I think the sudo cookbook assumes everyone who
is granted sudo access via the cookbook will want the same setting for
passwordless, which is not the desired outcome in my case. Is there a way
around this assumption or a better way for me to use the sudo cookbook?
Thank you for your help.

Sincerely,
Jimmy

A better way to use the cookbook would be to create files in sudoers.d for
each entry. GitHub - chef-boneyard/sudo: Development repository for sudo cookbook

On Fri, Mar 13, 2015 at 8:52 AM, Jimmy Huang jimmy.huang@duragility.com
wrote:

Hi,

I am trying to figure out how best to use the sudo cookbook. My cookbook
is called masterwrap.

Berkesfile:

source "https://supermarket.chef.io"

metadata

masterwrap/metadata.rb:

name 'masterwrap'
maintainer 'The Authors'
maintainer_email 'you@example.com'
license 'all_rights'
description 'Installs/Configures masterwrap'
long_description 'Installs/Configures masterwrap'
version '0.1.0'

depends 'git', '~> 4.1.0'
depends 'sudo', '~> 2.7.1'
depends 'users', '~> 1.8.0'

masterwrap/recipes/default.rb:

Cookbook Name:: masterwrap

Recipe:: default

Copyright (c) 2015 The Authors, All Rights Reserved.

include_recipe 'git'
include_recipe 'masterwrap::users'

masterwrap/recipes/users.rb:

Cookbook Name:: masterwrap

Recipe:: users

Copyright (c) 2015 The Authors, All Rights Reserved.

include_recipe 'sudo'
include_recipe 'users'

%w(deploy sysadmin).each do |group|
users_manage group do
data_bag 'users'
action [ :remove, :create ]
end
end

sudo 'sysadmin' do
group '%sysadmin'
nopasswd false
end

If I converge at this point, my vagrant user would stop having
passwordless sudo access. To make sure that does not happen, I have the
following masterwrap/.kitchen.yml file:

---

driver:
name: vagrant

provisioner:
name: chef_zero

platforms:

• name: ubuntu1404
  driver:
  box: ubuntu/trusty64
  box_url: ubuntu/trusty64
  attributes:
  authorization:
  sudo:
  users: ['vagrant']
  passwordless: true
  include_sudoers_d: true

suites:

• name: default
  data_bags_path: 'test/fixtures/data_bags'
  run_list:
  • recipe[masterwrap::default]
    attributes:

The problem is that I DO want a password prompt for my sudo access for
non-vagrant users, but I am not sure how to go about achieving that. Here
is my current /etc/sudoers file after the converge:

This file is managed by Chef.

Do NOT modify this file directly.

Defaults !lecture,tty_tickets,!fqdn

User privilege specification

root ALL=(ALL) ALL

vagrant ALL=(ALL) NOPASSWD:ALL

Members of the group 'sysadmin' may gain root privileges

%sysadmin ALL=(ALL) NOPASSWD:ALL

Given the node's structure, I think the sudo cookbook assumes everyone who
is granted sudo access via the cookbook will want the same setting for
passwordless, which is not the desired outcome in my case. Is there a way
around this assumption or a better way for me to use the sudo cookbook?
Thank you for your help.

Sincerely,
Jimmy

Hi tayworm,

Thank you for taking a look at my issue. My concern with using the sudo
lwrp is that I will then have the vagrant user in my recipe, based on my
current understanding. I need the vagrant user in development and
intesting, but I don't need the vagrant user in staging and in production.
Is there a way to have the vagrant user setup be decoupled from how the
other users are set up? Thank you again.

Jimmy

On Fri, Mar 13, 2015 at 1:02 PM, tayworm . tayworm@gmail.com wrote:

A better way to use the cookbook would be to create files in sudoers.d for
each entry. GitHub - chef-boneyard/sudo: Development repository for sudo cookbook

On Fri, Mar 13, 2015 at 8:52 AM, Jimmy Huang jimmy.huang@duragility.com
wrote:

Hi,

I am trying to figure out how best to use the sudo cookbook. My cookbook
is called masterwrap.

Berkesfile:

source "https://supermarket.chef.io"

metadata

masterwrap/metadata.rb:

name 'masterwrap'
maintainer 'The Authors'
maintainer_email 'you@example.com'
license 'all_rights'
description 'Installs/Configures masterwrap'
long_description 'Installs/Configures masterwrap'
version '0.1.0'

depends 'git', '~> 4.1.0'
depends 'sudo', '~> 2.7.1'
depends 'users', '~> 1.8.0'

masterwrap/recipes/default.rb:

Cookbook Name:: masterwrap

Recipe:: default

Copyright (c) 2015 The Authors, All Rights Reserved.

include_recipe 'git'
include_recipe 'masterwrap::users'

masterwrap/recipes/users.rb:

Cookbook Name:: masterwrap

Recipe:: users

Copyright (c) 2015 The Authors, All Rights Reserved.

include_recipe 'sudo'
include_recipe 'users'

%w(deploy sysadmin).each do |group|
users_manage group do
data_bag 'users'
action [ :remove, :create ]
end
end

sudo 'sysadmin' do
group '%sysadmin'
nopasswd false
end

If I converge at this point, my vagrant user would stop having
passwordless sudo access. To make sure that does not happen, I have the
following masterwrap/.kitchen.yml file:

---

driver:
name: vagrant

provisioner:
name: chef_zero

platforms:

• name: ubuntu1404
  driver:
  box: ubuntu/trusty64
  box_url: ubuntu/trusty64
  attributes:
  authorization:
  sudo:
  users: ['vagrant']
  passwordless: true
  include_sudoers_d: true

suites:

• name: default
  data_bags_path: 'test/fixtures/data_bags'
  run_list:
  • recipe[masterwrap::default]
    attributes:

The problem is that I DO want a password prompt for my sudo access for
non-vagrant users, but I am not sure how to go about achieving that. Here
is my current /etc/sudoers file after the converge:

This file is managed by Chef.

Do NOT modify this file directly.

Defaults !lecture,tty_tickets,!fqdn

User privilege specification

root ALL=(ALL) ALL

vagrant ALL=(ALL) NOPASSWD:ALL

Members of the group 'sysadmin' may gain root privileges

%sysadmin ALL=(ALL) NOPASSWD:ALL

Given the node's structure, I think the sudo cookbook assumes everyone
who is granted sudo access via the cookbook will want the same setting for
passwordless, which is not the desired outcome in my case. Is there a way
around this assumption or a better way for me to use the sudo cookbook?
Thank you for your help.

Sincerely,
Jimmy

You could use environments, e.g. (in pseudocode):
case environment
when 'dev' or 'qa'
user vagrant do
...
end

...

when 'staging' or 'prod'
...
end

Or if dev is provisioned by Vagrant on workstations but the other
environments live on servers, surely you can find a way for your node to
identify that it's provisioned by Vagrant, and only manage the vagrant user
when the VM is backed by Vagrant.
GitHub - sethvargo/chef-sugar adds some capabilities that you
might find helpful.

On Fri, Mar 13, 2015 at 4:09 PM, Jimmy Huang jimmy.huang@duragility.com
wrote:

Hi tayworm,

Thank you for taking a look at my issue. My concern with using the sudo
lwrp is that I will then have the vagrant user in my recipe, based on my
current understanding. I need the vagrant user in development and
intesting, but I don't need the vagrant user in staging and in production.
Is there a way to have the vagrant user setup be decoupled from how the
other users are set up? Thank you again.

Jimmy

On Fri, Mar 13, 2015 at 1:02 PM, tayworm . tayworm@gmail.com wrote:

A better way to use the cookbook would be to create files in sudoers.d
for each entry. GitHub - chef-boneyard/sudo: Development repository for sudo cookbook

On Fri, Mar 13, 2015 at 8:52 AM, Jimmy Huang jimmy.huang@duragility.com
wrote:

Hi,

I am trying to figure out how best to use the sudo cookbook. My
cookbook is called masterwrap.

Berkesfile:

source "https://supermarket.chef.io"

metadata

masterwrap/metadata.rb:

name 'masterwrap'
maintainer 'The Authors'
maintainer_email 'you@example.com'
license 'all_rights'
description 'Installs/Configures masterwrap'
long_description 'Installs/Configures masterwrap'
version '0.1.0'

depends 'git', '~> 4.1.0'
depends 'sudo', '~> 2.7.1'
depends 'users', '~> 1.8.0'

masterwrap/recipes/default.rb:

Cookbook Name:: masterwrap

Recipe:: default

Copyright (c) 2015 The Authors, All Rights Reserved.

include_recipe 'git'
include_recipe 'masterwrap::users'

masterwrap/recipes/users.rb:

Cookbook Name:: masterwrap

Recipe:: users

Copyright (c) 2015 The Authors, All Rights Reserved.

include_recipe 'sudo'
include_recipe 'users'

%w(deploy sysadmin).each do |group|
users_manage group do
data_bag 'users'
action [ :remove, :create ]
end
end

sudo 'sysadmin' do
group '%sysadmin'
nopasswd false
end

If I converge at this point, my vagrant user would stop having
passwordless sudo access. To make sure that does not happen, I have the
following masterwrap/.kitchen.yml file:

---

driver:
name: vagrant

provisioner:
name: chef_zero

platforms:

• name: ubuntu1404
  driver:
  box: ubuntu/trusty64
  box_url: ubuntu/trusty64
  attributes:
  authorization:
  sudo:
  users: ['vagrant']
  passwordless: true
  include_sudoers_d: true

suites:

• name: default
  data_bags_path: 'test/fixtures/data_bags'
  run_list:
  • recipe[masterwrap::default]
    attributes:

The problem is that I DO want a password prompt for my sudo access for
non-vagrant users, but I am not sure how to go about achieving that. Here
is my current /etc/sudoers file after the converge:

This file is managed by Chef.

Do NOT modify this file directly.

Defaults !lecture,tty_tickets,!fqdn

User privilege specification

root ALL=(ALL) ALL

vagrant ALL=(ALL) NOPASSWD:ALL

Members of the group 'sysadmin' may gain root privileges

%sysadmin ALL=(ALL) NOPASSWD:ALL

Given the node's structure, I think the sudo cookbook assumes everyone
who is granted sudo access via the cookbook will want the same setting for
passwordless, which is not the desired outcome in my case. Is there a way
around this assumption or a better way for me to use the sudo cookbook?
Thank you for your help.

Sincerely,
Jimmy

Jimmy,
To expand on Fabien's suggestion here is the default recipe from oc-users
which is a wrapper cookbook around the users and sudo community cookbooks
we use to manage users on some of Chef's internal infrastructure:

In particular note the only_if guard on line 51:

*only_if { vagrant? }*

Hope that helps!

--Seth

On Fri, Mar 13, 2015 at 4:19 PM, Fabien Delpierre <
fabien.delpierre@gmail.com> wrote:

You could use environments, e.g. (in pseudocode):
case environment
when 'dev' or 'qa'
user vagrant do
...
end

...

when 'staging' or 'prod'
...
end

Or if dev is provisioned by Vagrant on workstations but the other
environments live on servers, surely you can find a way for your node to
identify that it's provisioned by Vagrant, and only manage the vagrant user
when the VM is backed by Vagrant.
GitHub - sethvargo/chef-sugar adds some capabilities that you
might find helpful.

On Fri, Mar 13, 2015 at 4:09 PM, Jimmy Huang jimmy.huang@duragility.com
wrote:

Hi tayworm,

Thank you for taking a look at my issue. My concern with using the sudo
lwrp is that I will then have the vagrant user in my recipe, based on my
current understanding. I need the vagrant user in development and
intesting, but I don't need the vagrant user in staging and in production.
Is there a way to have the vagrant user setup be decoupled from how the
other users are set up? Thank you again.

Jimmy

On Fri, Mar 13, 2015 at 1:02 PM, tayworm . tayworm@gmail.com wrote:

A better way to use the cookbook would be to create files in sudoers.d
for each entry. GitHub - chef-boneyard/sudo: Development repository for sudo cookbook

On Fri, Mar 13, 2015 at 8:52 AM, Jimmy Huang <jimmy.huang@duragility.com

wrote:

Hi,

I am trying to figure out how best to use the sudo cookbook. My
cookbook is called masterwrap.

Berkesfile:

source "https://supermarket.chef.io"

metadata

masterwrap/metadata.rb:

name 'masterwrap'
maintainer 'The Authors'
maintainer_email 'you@example.com'
license 'all_rights'
description 'Installs/Configures masterwrap'
long_description 'Installs/Configures masterwrap'
version '0.1.0'

depends 'git', '~> 4.1.0'
depends 'sudo', '~> 2.7.1'
depends 'users', '~> 1.8.0'

masterwrap/recipes/default.rb:

Cookbook Name:: masterwrap

Recipe:: default

Copyright (c) 2015 The Authors, All Rights Reserved.

include_recipe 'git'
include_recipe 'masterwrap::users'

masterwrap/recipes/users.rb:

Cookbook Name:: masterwrap

Recipe:: users

Copyright (c) 2015 The Authors, All Rights Reserved.

include_recipe 'sudo'
include_recipe 'users'

%w(deploy sysadmin).each do |group|
users_manage group do
data_bag 'users'
action [ :remove, :create ]
end
end

sudo 'sysadmin' do
group '%sysadmin'
nopasswd false
end

If I converge at this point, my vagrant user would stop having
passwordless sudo access. To make sure that does not happen, I have the
following masterwrap/.kitchen.yml file:

---

driver:
name: vagrant

provisioner:
name: chef_zero

platforms:

• name: ubuntu1404
  driver:
  box: ubuntu/trusty64
  box_url: ubuntu/trusty64
  attributes:
  authorization:
  sudo:
  users: ['vagrant']
  passwordless: true
  include_sudoers_d: true

suites:

• name: default
  data_bags_path: 'test/fixtures/data_bags'
  run_list:
  • recipe[masterwrap::default]
    attributes:

The problem is that I DO want a password prompt for my sudo access for
non-vagrant users, but I am not sure how to go about achieving that. Here
is my current /etc/sudoers file after the converge:

This file is managed by Chef.

Do NOT modify this file directly.

Defaults !lecture,tty_tickets,!fqdn

User privilege specification

root ALL=(ALL) ALL

vagrant ALL=(ALL) NOPASSWD:ALL

Members of the group 'sysadmin' may gain root privileges

%sysadmin ALL=(ALL) NOPASSWD:ALL

Given the node's structure, I think the sudo cookbook assumes everyone
who is granted sudo access via the cookbook will want the same setting for
passwordless, which is not the desired outcome in my case. Is there a way
around this assumption or a better way for me to use the sudo cookbook?
Thank you for your help.

Sincerely,
Jimmy

Use a different data bag for your vagrant user, and define the use of that data bag in your vagrant recipe.

I do find myself wishing that the users cookbook had some hooks for setting up some sort of roles and attributes for groups, then applying those group settings to the relevant data bags, but I’ve got enough patches submitted for that cookbook right now.

Nico Kadel-Garcia
Lead DevOps Engineer
nkadel@skyhookwireless.commailto:nkadel@skyhookwireless.com

From: toshicub@gmail.com [mailto:toshicub@gmail.com] On Behalf Of Jimmy Huang
Sent: Friday, March 13, 2015 4:10 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: Chef’s sudo cookbook and the passwordless access

Hi tayworm,

Thank you for taking a look at my issue. My concern with using the sudo lwrp is that I will then have the vagrant user in my recipe, based on my current understanding. I need the vagrant user in development and intesting, but I don’t need the vagrant user in staging and in production. Is there a way to have the vagrant user setup be decoupled from how the other users are set up? Thank you again.

Jimmy

On Fri, Mar 13, 2015 at 1:02 PM, tayworm . <tayworm@gmail.commailto:tayworm@gmail.com> wrote:
A better way to use the cookbook would be to create files in sudoers.d for each entry. https://github.com/opscode-cookbooks/sudo#lwrp

On Fri, Mar 13, 2015 at 8:52 AM, Jimmy Huang <jimmy.huang@duragility.commailto:jimmy.huang@duragility.com> wrote:
Hi,

I am trying to figure out how best to use the sudo cookbook. My cookbook is called masterwrap.

Berkesfile:

source “https://supermarket.chef.io”

metadata

masterwrap/metadata.rb:

name 'masterwrap’
maintainer 'The Authors’
maintainer_email 'you@example.commailto:you@example.com’
license 'all_rights’
description 'Installs/Configures masterwrap’
long_description 'Installs/Configures masterwrap’
version ‘0.1.0’

depends ‘git’, '~> 4.1.0’
depends ‘sudo’, '~> 2.7.1’
depends ‘users’, ‘~> 1.8.0’

masterwrap/recipes/default.rb:

Cookbook Name:: masterwrap

Recipe:: default

Copyright © 2015 The Authors, All Rights Reserved.

include_recipe 'git’
include_recipe ‘masterwrap::users’

masterwrap/recipes/users.rb:

Cookbook Name:: masterwrap

Recipe:: users

Copyright © 2015 The Authors, All Rights Reserved.

include_recipe 'sudo’
include_recipe ‘users’

%w(deploy sysadmin).each do |group|
users_manage group do
data_bag 'users’
action [ :remove, :create ]
end
end

sudo ‘sysadmin’ do
group '%sysadmin’
nopasswd false
end

If I converge at this point, my vagrant user would stop having passwordless sudo access. To make sure that does not happen, I have the following masterwrap/.kitchen.yml file:

driver:
name: vagrant

provisioner:
name: chef_zero

platforms:

• name: ubuntu1404
  driver:
  box: ubuntu/trusty64
  box_url: ubuntu/trusty64
  attributes:
  authorization:
  sudo:
  users: [‘vagrant’]
  passwordless: true
  include_sudoers_d: true

suites:

• name: default
  data_bags_path: 'test/fixtures/data_bags’
  run_list:
  • recipe[masterwrap::default]
    attributes:
    The problem is that I DO want a password prompt for my sudo access for non-vagrant users, but I am not sure how to go about achieving that. Here is my current /etc/sudoers file after the converge:

This file is managed by Chef.

Do NOT modify this file directly.

Defaults !lecture,tty_tickets,!fqdn

User privilege specification

root ALL=(ALL) ALL

vagrant ALL=(ALL) NOPASSWD:ALL

Members of the group ‘sysadmin’ may gain root privileges

%sysadmin ALL=(ALL) NOPASSWD:ALL

Given the node’s structure, I think the sudo cookbook assumes everyone who is granted sudo access via the cookbook will want the same setting for passwordless, which is not the desired outcome in my case. Is there a way around this assumption or a better way for me to use the sudo cookbook? Thank you for your help.

Sincerely,
Jimmy

This is actually a safer way to avoid the big problem with the ‘sudo’ cookbook, where “NOPASSWD” access is binary: either all access requires passwords, or none. Inkdividually generated, local configs can be far more sophisticated than the cookbook currently supports.

It’s unfortunately vulnerable to syntax errors in your added config files breaking sudo altogether, and would benefit from a rollback procedure for broken changes or a big, big warning that “help, I just broke sudo, stop now!!!” by running a “sudo –I –u root /bin/pwd’ or similar innocuous command after deployment.

And please, don’t forget to clear away old files that are not managed by your cookbook, or which you no longer elect to publish.

Nico Kadel-Garcia
Lead DevOps Engineer
nkadel@skyhookwireless.commailto:nkadel@skyhookwireless.com

From: tayworm . [mailto:tayworm@gmail.com]
Sent: Friday, March 13, 2015 4:03 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Chef’s sudo cookbook and the passwordless access

A better way to use the cookbook would be to create files in sudoers.d for each entry. https://github.com/opscode-cookbooks/sudo#lwrp

On Fri, Mar 13, 2015 at 8:52 AM, Jimmy Huang <jimmy.huang@duragility.commailto:jimmy.huang@duragility.com> wrote:
Hi,

I am trying to figure out how best to use the sudo cookbook. My cookbook is called masterwrap.

Berkesfile:

source “https://supermarket.chef.io”

metadata

masterwrap/metadata.rb:

name 'masterwrap’
maintainer 'The Authors’
maintainer_email 'you@example.commailto:you@example.com’
license 'all_rights’
description 'Installs/Configures masterwrap’
long_description 'Installs/Configures masterwrap’
version ‘0.1.0’

depends ‘git’, '~> 4.1.0’
depends ‘sudo’, '~> 2.7.1’
depends ‘users’, ‘~> 1.8.0’

masterwrap/recipes/default.rb:

Cookbook Name:: masterwrap

Recipe:: default

Copyright © 2015 The Authors, All Rights Reserved.

include_recipe 'git’
include_recipe ‘masterwrap::users’

masterwrap/recipes/users.rb:

Cookbook Name:: masterwrap

Recipe:: users

Copyright © 2015 The Authors, All Rights Reserved.

include_recipe 'sudo’
include_recipe ‘users’

%w(deploy sysadmin).each do |group|
users_manage group do
data_bag 'users’
action [ :remove, :create ]
end
end

sudo ‘sysadmin’ do
group '%sysadmin’
nopasswd false
end

If I converge at this point, my vagrant user would stop having passwordless sudo access. To make sure that does not happen, I have the following masterwrap/.kitchen.yml file:

driver:
name: vagrant

provisioner:
name: chef_zero

platforms:

• name: ubuntu1404
  driver:
  box: ubuntu/trusty64
  box_url: ubuntu/trusty64
  attributes:
  authorization:
  sudo:
  users: [‘vagrant’]
  passwordless: true
  include_sudoers_d: true

suites:

• name: default
  data_bags_path: 'test/fixtures/data_bags’
  run_list:
  • recipe[masterwrap::default]
    attributes:
    The problem is that I DO want a password prompt for my sudo access for non-vagrant users, but I am not sure how to go about achieving that. Here is my current /etc/sudoers file after the converge:

This file is managed by Chef.

Do NOT modify this file directly.

Defaults !lecture,tty_tickets,!fqdn

User privilege specification

root ALL=(ALL) ALL

vagrant ALL=(ALL) NOPASSWD:ALL

Members of the group ‘sysadmin’ may gain root privileges

%sysadmin ALL=(ALL) NOPASSWD:ALL

Given the node’s structure, I think the sudo cookbook assumes everyone who is granted sudo access via the cookbook will want the same setting for passwordless, which is not the desired outcome in my case. Is there a way around this assumption or a better way for me to use the sudo cookbook? Thank you for your help.

Sincerely,
Jimmy