Not All Files in /etc/sudoers.d Getting Purged

Question

Not All Files in /etc/sudoers.d Getting Purged

bpadgett505 opened this issue 2 years ago · 10 comments

Hello,

I have recently setup this module in my environment.

During my testing last week I found that not all of the files that are not under Puppet control in /etc/sudoers.d are being purged.

I messed around with it for a couple of hours trying to find any correlation to the file names but was unable to.

Is this a known issue or could I be missing a declaration in my code to make this work properly?

Thanks.

Answer 1 · 2022-10-10T18:36:09.000Z

Files under puppet control aren't supposed to be purged, since puppet is managing them. Only non-managed files should be purged.

Answer 2 · 2022-10-10T18:38:00.000Z

Yes, I'm seeing files not under Puppet control that are not being purged. Some are being purged. Some are not.

Answer 3 · 2022-10-10T18:39:51.000Z

You might be able to tell why if you run puppet with --debug.

Answer 4 · 2022-10-10T19:08:09.000Z

@bpadgett505 can you show us some file names?

Answer 5 · 2022-10-10T19:14:13.000Z

Hiya,

Here is an example. The files with a puppet-bak are not under puppet control but they are being handled.

115_sierra_romeo_foxtrot is being ignored by puppet and is not defined in my code.

I found at least three or four names last Friday that were being ignored.

Thanks for taking a look at my issue.

Here is a puppet debug run where I grep -i for sudo:

Answer 6 · 2022-10-10T19:21:00.000Z

I think it's probably failing because of bad permissions. Should be 0600 or 0660, otherwise the visudo -c fails.

Answer 7 · 2022-10-10T19:30:12.000Z

Are you sure, those files are not managed by puppet? It might be possible, that there's neither sudo nor a part of the file name in the title, which won't therefore be matched by grep.

What happens if you're manually removing such a file and run puppet right after?

Which parameters are you setting?

Answer 8 · 2022-10-10T22:33:43.000Z

@bpadgett505 If you could also provide what your are feeding into your puppetcode, whether that be the relevant hiera entries or .pp files. That would be awesome. Would help immensely with debugging.

From what I can read out of your debug-logs etc, these 3 files are not touched by puppet.

-rw-r--r-- 1 root root 0 Oct 7 12:24 103_trout_fishing_rules.puppet-bak
-rw-r--r-- 1 root root 0 Oct 7 12:22 104_windows_sucks.puppet-bak
-rw-r--r-- 1 root root 0 Oct 7 12:27 115_sierra_romeo_foxtrot

As kenyon noted, the common denominator seems to be the file permissions. So I would like to know where they are from (manually placed, placed by something in your puppetcode or something else entirely)

PS: it seems these files are empty? maybe thats causing some misbehaviour?

Answer 9 · 2022-10-10T22:55:19.000Z

purge => true must be set on the file resource /etc/sudoers.d to remove any unmanaged files. As this is some behavior of the puppet file type, it's not related to permissions (as new files are created and owned by root) or any validation command (this will only affect new or changed files).

Either those files are managed by puppet or purge_ignore is set and those files are matching and are therefore not removed (not sure if they will show up during an agent run with --debug).

Another idea: maybe something else is creating those files between agent runs?

Answer 10 · 2023-04-30T10:25:38.000Z

@bpadgett505 As there's no response for a longer time and nobody else reports this behavior, I'll close the issue. If you think it's still a valid issue, please let me know.