Forum: Cfengine Help Subject: Re: We need +1 function, shadowexists() to complement userexists() and groupexists() Author: msvob...@linkedin.com Link to topic: https://cfengine.com/forum/read.php?3,21315,21328#msg-21328
Right, but if the functions exists to modify /etc/passwd and /etc/group, then why not add /etc/shadow to the list? Everything you said is correct about the network authentication methods, but in most environments, there is a combination of local files + network services in use for authentication. Local application "headless" users usually keep account information on the box, so there isn't a constant swarm of network lookup traffic for normal application operation. Such a "safety feature" looks completely wrong to me. There is number of system users (such as mysql or www) which aren't intended to allow direct logins and so that have something like "!!" or "*" instead of their passwords. Next, a system administrator may decide to block temporarily some user by putting a char in front of crypted password. Finally, there can be a lot of different authentication mechanisms, including LDAP, Radius and private keys, and one could wish to disallow local passwords completely for most users. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
