Forum: Cfengine Help Subject: Re: We need +1 function, shadowexists() to complement userexists() and groupexists() Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,21315,21317#msg-21317
Well, in cfengine's defense, if a user does not exist in /etc/shadow but has a non-crypt-string in the password field of passwd, then someone has broken the system somewhat intentionally (whether they meant to do so or not). :) You're really attempting to do two things here. You're attempting to ensure that specific users are defined on the system, and you're also attempting to validate that users who are defined are properly defined. So, what you're really looking for isn't shadowexists(), but rather "is_user_valid()". If you were to go to, say, an AIX system, you'd be checking /etc/security/passwd. On a HP-UX system running in TCB mode, you'd want to check entries under /tcb/. Systems using LDAP or NIS or whatever would have new requirements. Essentially, shadowexists() wouldn't be particularly portable. So, the general solution which would likely work a bit better would be to implement a method along the lines of "validate_user_account" which, given a username, checks to make sure that the user entries in each neccesary location are correct. In your case, where you are just concerned about Linux (and, apparently, one distribution), you already have the specific line which should be in each file. So you could just read the shadow file into an array where the key is the username and the value is the actual line (or however you want to do that; the goal is to just read the file once). Then, while you're iterating over your users, just do a string comparison to see if the line matches what you want the line to be; if it doesn't match, do a file edit to replace lines which match "$(username):.*" with your correct string. Or, even simpler, just set a per-user class for each user you've added to passwd. Then in your "manage_shadow" method, go over your list of users and, if the class "passwd_added_$(user)" is set, add the line to shadow. But that's just adding users, not managing them. ;) _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
