Puppet users - Aug 2010 - Dynamically generate array of system accounts

I''ve written a define to replace the shell of system accounts with /
dev/null:

define preventLogin2systemaccts (){
  user{ $title:
    shell => "/dev/null" ,
  }
}

Invoking this define like this works:

$systemAccts = ["daemon", "bin"]
preventLogin2systemaccts{  $systemAccts  : }

However, I''d like to dynamically generate an array of system accounts
with UIDs < 500 (and UID != 0).

I tried

  $systemAccts = generate("/etc/puppet/scripts/
list.system.accounts.sh" )

but, no matter how the output of this script is formatted, it doesn''t
work.

I''m a newbie.  Should this approach work?  Am I missing something
here?  Is there a better approach?

  -bonobo

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I may have answered by own question, but it still seems like there
might be a better way.

Here''s what I came up with:

#  Secure Configuration Control 1.

#  Change the shell for system accounts to /dev/null.  System accounts
#  are accounts with UIDs less than 500 but greater than 0.
#
#  Exceptions:
#    - Accounts with the shells the /sbin/shutdown, /bin/sync, /sbin/
halt.
#    - The nx account (used by FreeNX for remote deskttop access).

define preventLogin2SystemAccts (){
  user{ $title:
    shell => "/dev/null" ,
  }
}

$systemAccts = generate("/etc/puppet/scripts/
list.system.accounts.sh" )
$systemAcctsArray = split( $systemAccts, ''[,]'')
preventLogin2SystemAccts{  $systemAcctsArray : }

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I was under the impression that "generate" is run on the puppetmaster,
but I''m not sure.  You might want to check to see if your user list is
coming from the server.

On Aug 29, 2010, at 12:27 PM, bonobo wrote:
> I may have answered by own question, but it still seems like there
> might be a better way.
> 
> Here''s what I came up with:
> 
> #  Secure Configuration Control 1.
> 
> #  Change the shell for system accounts to /dev/null.  System accounts
> #  are accounts with UIDs less than 500 but greater than 0.
> #
> #  Exceptions:
> #    - Accounts with the shells the /sbin/shutdown, /bin/sync, /sbin/
> halt.
> #    - The nx account (used by FreeNX for remote deskttop access).
> 
> define preventLogin2SystemAccts (){
>  user{ $title:
>    shell => "/dev/null" ,
>  }
> }
> 
> $systemAccts = generate("/etc/puppet/scripts/
> list.system.accounts.sh" )
> $systemAcctsArray = split( $systemAccts, ''[,]'')
> preventLogin2SystemAccts{  $systemAcctsArray : }
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Patrick <kc7zzv@gmail.com> writes:

''generate'' is run on the puppetmaster; there isn''t
actually an easy way to
query this on the client other than using a custom fact.

        Daniel
> I was under the impression that "generate" is run on the
puppetmaster, but
> I''m not sure.  You might want to check to see if your user list is
coming
> from the server.
>
> On Aug 29, 2010, at 12:27 PM, bonobo wrote:
>
>> I may have answered by own question, but it still seems like there
>> might be a better way.
>> 
>> Here''s what I came up with:
>> 
>> #  Secure Configuration Control 1.
>> 
>> #  Change the shell for system accounts to /dev/null.  System accounts
>> #  are accounts with UIDs less than 500 but greater than 0.
>> #
>> #  Exceptions:
>> #    - Accounts with the shells the /sbin/shutdown, /bin/sync, /sbin/
>> halt.
>> #    - The nx account (used by FreeNX for remote deskttop access).
>> 
>> define preventLogin2SystemAccts (){
>>  user{ $title:
>>    shell => "/dev/null" ,
>>  }
>> }
>> 
>> $systemAccts = generate("/etc/puppet/scripts/
>> list.system.accounts.sh" )
>> $systemAcctsArray = split( $systemAccts, ''[,]'')
>> preventLogin2SystemAccts{  $systemAcctsArray : }
>> 
>> -- 
>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>> 
-- 
✣ Daniel Pittman            ✉ daniel@rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I have used a simple fact to (very) naively determine "real" users. It
runs on
each client:

  $ cat localusers.rb 
  Facter.add("localusers") do
    setcode do
      %x{USERS=`/bin/getent passwd | /bin/grep /home | /bin/awk -F:
\''{print $1}\''`; echo $USERS | sed -e \''s/
/,/g\''}.chomp
    end
  end

And is then accessed in Puppet like so:

  $users = split($localusers, ",")
  provision_user { $users: }

Cheers.
-- 
bdha
cyberpunk is dead. long live cyberpunk.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Bryan Horstmann-Allen <bda@mirrorshades.net> writes:
> I have used a simple fact to (very) naively determine "real"
users. It runs on
> each client:
>
>   $ cat localusers.rb
>   Facter.add("localusers") do
>     setcode do
>       %x{USERS=`/bin/getent passwd | /bin/grep /home | /bin/awk -F:
\''{print $1}\''`; echo $USERS | sed -e \''s/
/,/g\''}.chomp
If you don''t mind a couple of nits:

You probably want to note that this will collect users from, for example, NIS
or LDAP directories when run, not just "local" /etc/passwd users. 
Different
people have different views on what "local" means in that case and I
have been
caught by that before.

You can replace the grep, awk, echo, sed set with the more efficient:

    /bin/getent passwd | /bin/awk -F: ''/\/home/ {printf $1
","}''

Regards,
        Daniel

-- 
✣ Daniel Pittman            ✉ daniel@rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

+------------------------------------------------------------------------------
| On 2010-08-30 15:43:44, Daniel Pittman wrote:
| 
| You probably want to note that this will collect users from, for example, NIS
| or LDAP directories when run, not just "local" /etc/passwd users. 
Different
| people have different views on what "local" means in that case and I
have been
| caught by that before.
| 
| You can replace the grep, awk, echo, sed set with the more efficient:
| 
|     /bin/getent passwd | /bin/awk -F: ''/\/home/ {printf $1
","}''

Nits welcome. :)

In that environment, we were pulling user accounts from LDAP, so. I should have
mentioned that.

Excellent use of awk.

Cheers.
-- 
bdha
cyberpunk is dead. long live cyberpunk.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.