hai wu
2011-Apr-12 02:30 UTC
[Puppet Users] any better way to manage access control via /etc/passwd
We need to manage /etc/passwd where there would be one line at the very end of the file to restrict access to all users not explictly allowed: +::::::/sbin/nologin If using delete_lines and append_if_no_such_lines (similar to this one at http://www.debian-administration.org/articles/528) to manage access control, each time a few new users got appended to /etc/passwd file, the above line would be deleted and appended, for many times, while it only needs to be done once. Any better way to manage this file in terms of access control? Augeas is buggy and I filed a bug report on this already. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Rich Rauenzahn
2011-Apr-12 03:14 UTC
Re: [Puppet Users] any better way to manage access control via /etc/passwd
On Mon, Apr 11, 2011 at 7:30 PM, hai wu <haiwu.us@gmail.com> wrote:> We need to manage /etc/passwd where there would be one line at the very end > of the file to restrict access to all users not explictly allowed: > > +::::::/sbin/nologin > > If using delete_lines and append_if_no_such_lines (similar to this one at > http://www.debian-administration.org/articles/528) to manage access control, > each time a few new users got appended to /etc/passwd file, the above line > would be deleted and appended, for many times, while it only needs to be > done once. > > Any better way to manage this file in terms of access control? Augeas is > buggy and I filed a bug report on this already. >I just dealt with this in our puppet config -- I wrote a nis_modify_passwd script that has a --checkonly flag (for the exec''s onlyif condition), and a --add function. I used lckpwdf (3) - get shadow password file entry ulckpwdf (3) - get shadow password file entry to lock the passwd file during the change -- and made sure not to edit the passwd file in place -- I make a 2nd copy, then mv it into place to ensure it works when out of diskspace. BUT.. after doing all of this, I later realized that in the nsswitch.conf, ''compat'' mode for /etc/passwd sets the default for NIS to not allow anyone unless explicitly added to the /etc/passwd. So another way to deal with this is to change your nsswitch.conf to be ''compat'' and not ''files nis''. In other words, ''files nis'' more or less does a #include of all NIS users, so you have to added an explicit global /sbin/nologin to your passwd file -- but ''compat'' allows you to hand pick which NIS users you want and defaults to nologin. Unfortunately, useradd doesn''t seem to handle +user''s... Rich -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.