Set does not support negating a node in /etc/sudoers #81
Description
Describe the Bug
Running this block to configure my sudo_accounts
augeas { 'sudo_accounts':
context => '/files/etc/sudoers',
changes => [
#Create a command alias for switching a user
"set Cmnd_Alias/alias/name ELEVATING",
"set Cmnd_Alias/alias/command[1] /bin/su",
"set Cmnd_Alias/alias/command[2] /bin/usr/su",
"set spec[user = '%wheel']/user %wheel",
#Allow the wheel group to run all commands without a password, excepting the ELEVATING commands
"set spec[user = '%wheel']/host_group/host ALL",
"set spec[user = '%wheel']/host_group/command[1] ALL",
"set spec[user = '%wheel']/host_group/command[1]/runas_user ALL",
"set spec[user = '%wheel']/host_group/command[1]/tag NOPASSWD",
"set spec[user = '%wheel']/host_group/command[2] ELEVATING",
**"set spec[user = '%wheel']/host_group/command[2]/negate"],**
"clear spec[user = '%wheel']/host_group/command[2]/negate"],
onlyif => "match spec/user[.='%wheel'][../host_group/command/tag='NOPASSWD'] size == 0",
}Results in an error that I am missing the second argument for set.
Expected Behavior
Using the same augtool executable to run:
set /files/etc/sudoers/spec[3]/host_group/command/negate
Will result in the command on that line being negated.
In this particular example it turns:
%wheel ALL=(ALL) NOPASSWD : ALL , ELEVATING
=>
%wheel ALL=(ALL) NOPASSWD : ALL , !ELEVATING
Notably if I were to try to just use:
"set spec[user = '%wheel']/host_group/command[2] !ELEVATING",
in the puppet code above, that also fails. So I'm left with no options for set to negate a command in the sudoers file, which doesn't match the actual behaviour of augtool.
I am able to get around this by using:
"clear spec[user = '%wheel']/host_group/command[2]/negate"
But that's a little unintuitive.
Steps to Reproduce
I have provided the steps to reproduce as part of the above.
Environment
- Puppet v7.30.0
- augtool 1.14.1
- Rocky 8.9
- having a hard time determining what version of puppetlabs-augeas_core is in this version of puppet