Faidon Liambotis has submitted this change and it was merged. Change subject: sudo: actually make the linting safety checks work ......................................................................
sudo: actually make the linting safety checks work The current linting Execs, shamelessly stolen from the admin module, had a logic error in which it tried doing "exit 0" as means to handle the ensure => absent case, but ended up doing it unconditionally, therefore rendering the whole check moot! There's two ways to fix this: either move the "test -e" check to a separate onlyif parameter, or guard the whole Exec with an "if $ensure == present" check. The latter feels cleaner, so pick that one. Change-Id: I9b29d3e093446cbd602087d27718f6813cfe372b --- M modules/sudo/manifests/group.pp M modules/sudo/manifests/user.pp 2 files changed, 14 insertions(+), 12 deletions(-) Approvals: Faidon Liambotis: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/sudo/manifests/group.pp b/modules/sudo/manifests/group.pp index 107dfc6..2ee2118 100644 --- a/modules/sudo/manifests/group.pp +++ b/modules/sudo/manifests/group.pp @@ -40,11 +40,12 @@ content => template('sudo/sudoers.erb'), } - exec { "sudo_group_${title}_linting": - command => "rm -f ${filename} && false", - unless => "test -e ${filename} && visudo -cf ${filename} || exit 0", - path => '/bin:/usr/bin:/usr/sbin', - refreshonly => true, - subscribe => File[$filename], + if $ensure == 'present' { + exec { "sudo_group_${title}_linting": + command => "/bin/rm -f ${filename} && /bin/false", + unless => "/usr/sbin/visudo -cqf ${filename}", + refreshonly => true, + subscribe => File[$filename], + } } } diff --git a/modules/sudo/manifests/user.pp b/modules/sudo/manifests/user.pp index 48fb4a4..6a64fdc 100644 --- a/modules/sudo/manifests/user.pp +++ b/modules/sudo/manifests/user.pp @@ -40,11 +40,12 @@ content => template('sudo/sudoers.erb'), } - exec { "sudo_user_${title}_linting": - command => "rm -f ${filename} && false", - unless => "test -e ${filename} && visudo -cf ${filename} || exit 0", - path => '/bin:/usr/bin:/usr/sbin', - refreshonly => true, - subscribe => File[$filename], + if $ensure == 'present' { + exec { "sudo_user_${title}_linting": + command => "/bin/rm -f ${filename} && /bin/false", + unless => "/usr/sbin/visudo -cqf ${filename}", + refreshonly => true, + subscribe => File[$filename], + } } } -- To view, visit https://gerrit.wikimedia.org/r/180777 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I9b29d3e093446cbd602087d27718f6813cfe372b Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits