saz/puppet-sudo

Template for rhel8 is mising

tuxmaster5000 opened this issue · 10 comments

To use it for rhel8 an new template is needed.

Just in case it helps you -- you can temporarily work around this by putting this in hiera:

# RHEL 8 isn't directly supported by sudo module, use RHEL 7 one as it's compatible.
sudo::content: 'sudo/sudoers.rhel7.erb'

As an workaround I have patched it, when it helps, I can create an PR for it.

saz commented

Are the config files of RHEL7 and RHEL8 the same?

Here the diff of the RHEL 7 and 8 default config:

@@ -51,8 +51,8 @@
 
 # Defaults specification
 
-# Refuse to run if unable to disable echo on the tty. This setting should also be
-# changed in order to be able to use sudo without a tty. See requiretty above.
+#
+# Refuse to run if unable to disable echo on the tty.
 #
 Defaults   !visiblepw
 
@@ -64,6 +64,15 @@
 # env_reset is disabled or HOME is present in the env_keep list.
 #
 Defaults    always_set_home
+Defaults    match_group_by_gid
+
+# Prior to version 1.8.15, groups listed in sudoers that were not
+# found in the system group database were passed to the group
+# plugin, if any. Starting with 1.8.15, only groups of the form
+# %:group are resolved via the group plugin by default.
+# We enable always_query_group_plugin to restore old behavior.
+# Disable this option for new behavior.
+Defaults    always_query_group_plugin
 
 Defaults    env_reset
 Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"

The real change is, that this two lines are added:
Defaults match_group_by_gid
Defaults always_query_group_plugin

There seems to exist #247, albeit i am a bit confused about the timeline since it existed when this issue was created. Is there still need for changes to get full rhel8 support running or is this closable?

The version 6.0.0 released on https://forge.puppet.com/modules/saz/sudo does not contain the RHEL8 template. At the git report here the template exists. So it looks like, it was forgotten to release an new version?

Ah ok now its clear, yea. @saz I think this needs the release required tag :)
Edit: Maybe a new milestone wouldnt be bad, then I know what you want to get done for a new release and can focus on those issues

saz commented

@zilchms added. Thanks for the clarification!

saz commented

I've just released v7.0.0 which fixes this issue.