Wow, I'm surprised to have received no responses to this so far, but it does seem to be a hard problem. In fact, I was thinking about it more last night and this morning and it's even trickier than I thought last night. I may have to come up with a different approach, but I would like to restate my problem at a higher level, as I'm curious how others have addressed this issue.
How do you manage access to individual systems? This includes LDAP accounts and netgroups (for most users) and a few special application accounts (e.g. oracle) that need to be local to specific systems. Thanks, Justin -----Original Message----- From: help-cfengine-boun...@cfengine.org [mailto:help-cfengine-boun...@cfengine.org] On Behalf Of Justin Lloyd Sent: Wednesday, February 10, 2010 11:30 AM To: help-cfengine@cfengine.org Subject: Deleting lines from a files that don't match a list Suppose you have an slist that contains a list the only netgroups you want in /etc/passwd (ignore /etc/shadow for this example) on a given system. It's easy to ensure they're all there, but how would you ensure that no other netgroups are in the file? For example, given: bundle agent test { vars: # will be something like { "is", "dba", "ps" } "valid_netgroups" slist => execresults("/usr/local/bin/asset data $(sys.uqhost) netgroups", "noshell"); files: "/etc/passwd" edit_line => insert_netgroups("$(valid_netgroups)"); } bundle edit_line insert_netgroups(netgroup) { insert_lines: "+...@$(netgroup)::::::"; } But how do I ensure that ONLY those netgroups are in the file and that any others get deleted (due to access policy changes, improper manual edits, etc.)? The following won't work due to the caveat that I want to avoid unnecessary repairs to prevent messing up repair statistics: bundle edit_line insert_netgroups(netgroup) { delete_lines: "+...@.*"; insert_lines: "+...@$(netgroup)::::::"; } I thought of trying something with delete_select, for example: body delete_select delete_other_netgroups(netgroups) { delete_if_not_startwith_from_list => { @netgroups }; } but that doesn't work in this case because the matching lines I would want to delete actually start with +@ before each netgroup name. So I was trying to think of how to create a new slist from the existing one, mapping each "$(netgroup)" value to "+...@$(netgroup)", but no success with that yet. Other delete bodies seem to have a similar problem. Am I making this too complicated? Is there a simpler way to accomplish this in the docs that I'm just missing? Thanks, Justin This electronic communication and any attachments may contain confidential and proprietary information of DigitalGlobe, Inc. If you are not the intended recipient, or an agent or employee responsible for delivering this communication to the intended recipient, or if you have received this communication in error, please do not print, copy, retransmit, disseminate or otherwise use the information. Please indicate to the sender that you have received this communication in error, and delete the copy you received. DigitalGlobe reserves the right to monitor any electronic communication sent or received by its employees, agents or representatives. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
