[MediaWiki-commits] [Gerrit] sudo: actually make the linting safety checks work - change (operations/puppet)

Thu, 18 Dec 2014 05:03:20 -0800 

Faidon Liambotis has submitted this change and it was merged.

Change subject: sudo: actually make the linting safety checks work
......................................................................


sudo: actually make the linting safety checks work

The current linting Execs, shamelessly stolen from the admin module, had
a logic error in which it tried doing "exit 0" as means to handle the
ensure => absent case, but ended up doing it unconditionally, therefore
rendering the whole check moot!

There's two ways to fix this: either move the "test -e" check to a
separate onlyif parameter, or guard the whole Exec with an "if $ensure
== present" check. The latter feels cleaner, so pick that one.

Change-Id: I9b29d3e093446cbd602087d27718f6813cfe372b
---
M modules/sudo/manifests/group.pp
M modules/sudo/manifests/user.pp
2 files changed, 14 insertions(+), 12 deletions(-)

Approvals:
  Faidon Liambotis: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/sudo/manifests/group.pp b/modules/sudo/manifests/group.pp
index 107dfc6..2ee2118 100644
--- a/modules/sudo/manifests/group.pp
+++ b/modules/sudo/manifests/group.pp
@@ -40,11 +40,12 @@
         content => template('sudo/sudoers.erb'),
     }
 
-    exec { "sudo_group_${title}_linting":
-        command     => "rm -f ${filename} && false",
-        unless      => "test -e ${filename} && visudo -cf ${filename} || exit 
0",
-        path        => '/bin:/usr/bin:/usr/sbin',
-        refreshonly => true,
-        subscribe   => File[$filename],
+    if $ensure == 'present' {
+        exec { "sudo_group_${title}_linting":
+            command     => "/bin/rm -f ${filename} && /bin/false",
+            unless      => "/usr/sbin/visudo -cqf ${filename}",
+            refreshonly => true,
+            subscribe   => File[$filename],
+        }
     }
 }
diff --git a/modules/sudo/manifests/user.pp b/modules/sudo/manifests/user.pp
index 48fb4a4..6a64fdc 100644
--- a/modules/sudo/manifests/user.pp
+++ b/modules/sudo/manifests/user.pp
@@ -40,11 +40,12 @@
         content => template('sudo/sudoers.erb'),
     }
 
-    exec { "sudo_user_${title}_linting":
-        command     => "rm -f ${filename} && false",
-        unless      => "test -e ${filename} && visudo -cf ${filename} || exit 
0",
-        path        => '/bin:/usr/bin:/usr/sbin',
-        refreshonly => true,
-        subscribe   => File[$filename],
+    if $ensure == 'present' {
+        exec { "sudo_user_${title}_linting":
+            command     => "/bin/rm -f ${filename} && /bin/false",
+            unless      => "/usr/sbin/visudo -cqf ${filename}",
+            refreshonly => true,
+            subscribe   => File[$filename],
+        }
     }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/180777
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9b29d3e093446cbd602087d27718f6813cfe372b
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to