Hi Fabrice, you can simply copy sudoers.aug <https://github.com/hercules-team/augeas/blob/master/lenses/sudoers.aug> from upstream to affected systems with a file resource until augeas 1.9.0 is released. I am not aware though that there are plans to rebase augeas for the 1.x series of puppet-agent; it'll show up in puppet-agent 5.x though.
David On Mon, Oct 2, 2017 at 2:03 AM, Fabrice Bacchella < [email protected]> wrote: > Looking at Puppet 1.10.8, I see in /opt/puppetlabs/puppet/lib/ > pkgconfig/augeas.pc: > > Version: 1.4.0 > > That version was released on june 2015/ > > But at https://github.com/hercules-team/augeas/releases, current augeas > version is 1.8.1, and still don't include patch for that bug. It prevent > upgrade to RHEL7.4. Any hop to get it corrected soon in the puppet agent ? > Or should I try to implement a workaround, because at the same time, there > is CVE-2017-1000253 that requires an upgrade to 7.4. > > > > Le 27 août 2017 à 14:17, Fabrice Bacchella <[email protected]> > a écrit : > > > > Thanks ! > > > >> Le 27 août 2017 à 06:56, David Lutterkort <[email protected]> a écrit : > >> > >> Hi Fabrice, > >> > >> I just merged this change to the sudoers lens to address that. You can > just overwrite the stock lens in /usr/share/augeas/lenses/dist/sudoers.aug > with the updated lens, and things should just work. > >> > >> David > >> > >> On Friday, August 25, 2017 at 9:43:13 AM UTC-7, Fabrice Bacchella wrote: > >> I've upgraded a test machin with Centos 7.4 CR > >> > >> When I run puppet on it, configuring /etc/sudoers with augeas, I'm > getting: > >> > >> Warning: Augeas[sudoers include](provider=augeas): Loading failed for > one or more files, see debug for /augeas//error output > >> > >> augtool ls /augeas//error says : > >> pos = 2308 > >> line = 65 > >> char = 12 > >> lens/ = /usr/share/augeas/lenses/dist/sudoers.aug:529.10-.70: > >> message = Iterated lens matched less than it should > >> > >> Line 65 is: > >> Defaults match_group_by_gid > >> > >> If I look at /usr/share/augeas/lenses/dist/sudoers.aug, I found: > >> let parameter_flag_kw = "always_set_home" | "authenticate" | > "env_editor" > >> | "env_reset" | "fqdn" | "ignore_dot" > >> | "ignore_local_sudoers" | "insults" | > "log_host" > >> | "log_year" | "long_otp_prompt" | > "mail_always" > >> | "mail_badpass" | "mail_no_host" | > "mail_no_perms" > >> | "mail_no_user" | "noexec" | "path_info" > >> | "passprompt_override" | "preserve_groups" > >> | "requiretty" | "root_sudo" | "rootpw" | > "runaspw" > >> | "set_home" | "set_logname" | "setenv" > >> | "shell_noargs" | "stay_setuid" | "targetpw" > >> | "tty_tickets" | "visiblepw" | > "closefrom_override" > >> | "closefrom_override" | "compress_io" | > "fast_glob" > >> | "log_input" | "log_output" | "pwfeedback" > >> | "umask_override" | "use_pty" > >> > >> match_group_by_gid is missing I think. > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > >> To view this discussion on the web visit https://groups.google.com/d/ > msgid/puppet-users/66d019bc-0554-48e3-a2dc-1b61e5f976b8%40googlegroups.com > . > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit https://groups.google.com/d/ > msgid/puppet-users/77480E2A-BF98-4567-A536-4514CED03F41%40orange.fr. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/puppet-users/IsAigbsPJ9o/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/puppet-users/ADEFCF63-15F5-4B95-8468-D2C01044FFA1%40orange.fr. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAHN%2BA%2BUmxUStKRA%3DFD4Bg6vteX9x1nd%3DTMC2jgUqDoCtfLCWcg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
