Foreman » Installer

This feature request is because the "puppet" bool is used to control two different actions (configure puppet module in the smart proxy and add content to sudoers or sudoers.d) and those actions should be separated in certain circumstances:

• Company policy may not allow for non-hostsec people/processes to modify sudoers or sudoers.d.
• Augeas in Puppet 3 cannot handle the "!$Cmnd_Alias" option in sudoers. (Note: This is solved in Puppet 4. Even though Puppet3 is EOL, people will continue to use it for a while.)

If either $puppetca or $puppet are set to true, the module attempts to add lines to /etc/sudoers or a file to /etc/sudoers.d, depending on the value of $use_sudoersd. If we don't want to write anything to /etc/sudoers or /etc/sudoers.d, we need a workaround. Our current workaround for this issue is to change "$sudoers" from "${etc_dir}/sudoers" to something else, like "/tmp/fakefile". In that scenario, augeas will not crash (we use "!$Cmnd_Alias") and will make the unwanted changes in a different file.

I created $use_sudoers (which is very similar to $use_sudoers*d*) to tell the module whether or not it can touch /etc/sudoers. If you set both $use_sudoersd and $use_sudoers to true, then the module should manage sudoers.d (due to the if/else statement's order). If you set them both to false, the module will leave sudoers and sudoers.d alone. If you set $use_sudoersd to false and $use_sudoers to true, then the module will manage /etc/sudoers. Note: The default value for $use_sudoers is false.