Dont create /etc/sudoers.d/google_sudoers unless OS Login is enabled
zachberger opened this issue · comments
In oslogin.go#L79 we correctly guard the call to accountsMgr.set()
on OS Login being enabled, however on main.go#L118 we don't do this check first resulting in /etc/sudoers.d/google_sudoers
being created even when the user does not use OS Login.
This creates challenges for customers who use Puppet to manage the /etc/sudoers.d
directory. Puppet deletes this file and then the agent recreates it causing churn.
We've been experiencing the same issue. In our case, we just changed our Puppet configuration to 'manage' that file instead:
sudo::configs:
'google-sudoers':
'content': '%google-sudoers ALL=(ALL) NOPASSWD:ALL'
'sudo_file_name': 'google_sudoers'
Obviously it would be preferable if the agent didn't create if (as we're also not using OS Login) but this seems to work around it for now.