Forum: Cfengine Help
Subject: We need +1 function, shadowexists() to complement userexists() and
groupexists()
Author: msvob...@linkedin.com
Link to topic: https://cfengine.com/forum/read.php?3,21315,21315#msg-21315
So, I'm adding users into /etc/passwd, /etc/group, and /etc/shadow. I'm using
the provided functions from the cfengine_stlib.cf.
>From the standard library....
bundle edit_line append_users_starting(v)
# For adding to /etc/passwd or etc/shadow, needs
# an array v string => "line..."
{
vars:
"index" slist => getindices("$(v)");
classes:
"add_$(index)" not => userexists("$(index)");
insert_lines:
"$($(v)[$(index)])",
ifvarclass => "add_$(index)";
}
bundle edit_line append_groups_starting(v)
# For adding groups to /etc/group, needs
# an array v string => "line..."
{
vars:
"index" slist => getindices("$(v)");
classes:
"add_$(index)" not => groupexists("$(index)");
insert_lines:
"$($(v)[$(index)])",
ifvarclass => "add_$(index)";
}
So, these promises work because they "key" off of the userexists and
groupexists functions. The userexists function states in the comments that it
will work with /etc/shadow.... but really... it doesn't.
userexists is checking for an entry in /etc/passwd. If the user exists in
/etc/passwd, and there is no entry for the user in /etc/shadow, then, this
doesn't work... userexists isn't checking /etc/shadow, so the password entry
doesn't get added.
Anyways, here's my policy, semi working... Instead of using
append_users_starting to validate the /etc/shadow entries, I'm going to take
some sort of different approach. Probably append_if_no_line()....
bundle agent manage_system_accounts
{
vars:
"users" string => "user1:x:1001:1001:User
1:/export/home/user1:/bin/bash";
"users" string => "user2:x:1002:1002:User
2:/export/home/user2:/bin/ksh";
"users" string => "user3:x:1003:1003:User
3:/export/home/user3:/bin/ksh";
"groups" string => "user1::1001:";
"groups" string => "user2::1002:";
"groups" string => "user3::1003:";
"groups" string => "user4::1004:";
"groups" string => "user5::1005:";
"shadow" string => "user1:NP:6445::::::";
"shadow" string => "user2:NP:6445::::::";
"shadow" string => "user3:*LK*:::::::";
files:
linux::
"/etc/group"
handle => "linux_app_groups_exist",
perms => mog("0644","root","root"),
edit_line =>
append_groups_starting("manage_system_accounts.groups"),
classes =>
if_repaired("etc_group_modified");
linux::
"/etc/passwd"
handle => "linux_app_users_exist",
perms => mog("0644","root","root"),
edit_line =>
append_users_starting("manage_system_accounts.users"),
classes =>
if_repaired("etc_passwd_modified");
linux::
"/etc/shadow"
handle => "linux_app_shadow_exist",
perms => mog("0400","root","root"),
edit_line =>
append_users_starting("manage_system_accounts.shadow"),
classes =>
if_repaired("etc_shadow_modified");
reports:
etc_group_modified::
"cf3: /etc/group was modified on $(sys.host)";
etc_passwd_modified::
"cf3: /etc/passwd was modified on $(sys.host)";
etc_shadow_modified::
"cf3: /etc/shadow was modified on $(sys.host)";
}
Here's the execution....
root@esv4-linux-test04 inputs]# /var/cfengine/bin/cf-agent -I -K -b
manage_system_accounts
>> Using command line specified bundlesequence
-> Edited file /etc/group
-> Edited file /etc/passwd
R: cf3: /etc/group was modified on esv4-linux-test04.corp.linkedin.com
R: cf3: /etc/passwd was modified on esv4-linux-test04.corp.linkedin.com
# grep user1 /etc/passwd
user1:x:1001:1001:User 1:/export/home/user1:/bin/bash
# grep user1 /etc/group
user1::1001:
# grep user1 /etc/shadow
#
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
