Tim Mooney
2011-Aug-05 20:01 UTC
[Puppet Users] augeas modify pam.d argument by relative position
All-
I''ve been using puppet (now 2.6.9) and augeas (now 0.7.2 + ruby-augeas
0.3.0)
for a few weeks and I''m a convert.
I''m trying to modify a particular argument to a particular entry in
the RHEL 6.1 /etc/pam.d/password-auth-ac file, and although I''ve come
up with a way that "works", it''s fragile. I''m
hoping someone can suggest
a better way.
First, the line in question in /etc/pam.d/password-auth-ac is
auth requisite pam_succeed_if.so uid >= 500 quiet
It''s the third line in the "auth" section of that file. The
problem
is that we have a few old-timers that have uids in the range 101-499, and
this line causes them problems on login via things like sshd.
In the past we would have scripted something in perl in our kickstart
%post script to switch that particular "500" to be "100".
Using this excellent past thread as a guide:
http://groups.google.com/group/puppet-users/browse_thread/thread/ab96038a5658ec98/cb0c0beb8cd5418b?lnk=gst&q=augeas+%2Bpam#cb0c0beb8cd5418b
I can match the line in question in augtool with:
print /files/etc/pam.d/password-auth-ac/*[type = "auth"][module =
"pam_succeed_if.so"]
/files/etc/pam.d/password-auth-ac/3
/files/etc/pam.d/password-auth-ac/3/type = "auth"
/files/etc/pam.d/password-auth-ac/3/control = "requisite"
/files/etc/pam.d/password-auth-ac/3/module = "pam_succeed_if.so"
/files/etc/pam.d/password-auth-ac/3/argument[1] = "uid"
/files/etc/pam.d/password-auth-ac/3/argument[2] = ">="
/files/etc/pam.d/password-auth-ac/3/argument[3] = "500"
/files/etc/pam.d/password-auth-ac/3/argument[4] = "quiet"
The problem is that ''uid'', ''>='', and
''500'' are all separate arguments.
I can get puppet to apply my modification if I use an entry like this:
#
# RHEL 6 has a new PAM file that needs to have the nid for "special
# users" adjusted down from 500 to 100.
#
augeas { "pam.d/password-auth-ac_uidfix":
context => ''/files/etc/pam.d/password-auth-ac/*[type =
"auth"][module = "pam_succeed_if.so"]'',
changes => [
"set argument[3] 100",
],
onlyif => ''get argument[3] == "500"''
}
But that only works if argument[1]="uid",
argument[2]=">=", and
argument[3]="500". Ideally, my rule would find the position of
"uid" in
the line, and then match only if position() + 2 = "500".
I''ve tried
things like:
print /files/etc/pam.d/password-auth-ac/*[type = "auth"][module =
"pam_succeed_if.so"][argument[position()] = "uid"]
within augtool and that much works, but as soon as I try something like:
print /files/etc/pam.d/password-auth-ac/*[type = "auth"][module =
"pam_succeed_if.so"][argument[position()] =
"uid"][argument[position() + 1] = ">="]
it fails to match.
Anyone have an idea how I can rewrite things so that the match isn''t
dependent on the exact current order of arguments, and instead matches
relative to the position of a previous argument (uid) or pair of arguments
(uid and >=)?
Any thoughts appreciated,
Tim
--
Tim Mooney Tim.Mooney@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Reasonably Related Threads
Wisdom of the Ancients
