saz
Group names with space
Version: saz-sudo (v6.0.0)
This issue affects Active Directory (or other LDAP) joined machines.
When setting a config with content that includes a group name with space in it there is a parsing error during the Puppet run. Example code:
'space-group':
content: "%group\ with\ space ALL=(ALL) ALL"
priority: 20
Puppet run error
Notice: /Stage[main]/Sudo/Sudo::Conf[space-group]/Exec[sudo-syntax-check for file/etc/sudoers.d/20_space-group]/returns: parse error in /etc/sudoers.d/20_space-group near line 2
The content portion of this works in RHEL/CentOS 7 -- I'm not sure if that's a caveat to those OSes or standard Linux. Here's a forum from RedHat where I found this answer. https://access.redhat.com/discussions/2950661
Can you specify on what OS your agent is running into this issue? Helps me trying to replicate this.
The issue was experienced on CentOS Linux release 7.9.2009 (Core); if it matters Puppet agent version 5.5.22.
I don't see a good way to solve this issue. content is just a string. I don't see any way to escape just the group part within it.
I don't see where the error is coming from. visudo -c comes back clean when I check the configuration, and if the string from content is just filled into a text file under sudoers.d, where is it being parsed?
If I read this correctly it starts somewhere around here: https://github.com/saz/puppet-sudo/blob/f3cecf49ecde3dd81269a0c20cc6b68fcc212c34/manifests/conf.pp#L105 Resulting in: https://github.com/saz/puppet-sudo/blob/f3cecf49ecde3dd81269a0c20cc6b68fcc212c34/manifests/conf.pp#L139 beeing called. Can you manually try to replicate the full check with the "||" and the part after? Though I dont see, why that should be an issue, since manually calling visudo -c seems to work for you. Edit: I am also not sure with delete_cmd command gets called on your end. Havent come around to setting up a fitting testenv for this on my end (sorry)