On 02/08/2012 08:17 AM, Marco Marongiu wrote:
> The sshd_config example is interesting, but I think it is not general
> enough. In fact, it will actually break if the configuration includes a
> "Match" conditional block.
>
> It would be definitely a double-plus for the book if it deals with such
> situation, meaning: dealing with a configuration files which could have
> "stanzas" a-la-sshd_config, and doing the right thing.
This might have what your looking for Marco, perhaps Diego can update
his sshd promise to include a location before Match.
--
Nick Anderson <[email protected]>
body common control {
bundlesequence => {
"main",
};
inputs => {
"cfengine_stdlib.cf",
};
}
bundle agent main {
methods:
"any" usebundle => test;
}
bundle agent test {
vars:
"restricted_user_ssh[ChrootDirectory]" string => "/sftp-jail/%u";
"restricted_user_ssh[ForceCommand]" string => "sftp";
"sftponly_group_ssh[ChrootDirectory]" string => "/sftp-jail/%u";
"sftponly_group_ssh[ForceCommand]" string => "internal-sftp";
files:
"/tmp/sshd_config"
create => "true",
edit_line => set_config_values_sshd_match_user("restricteduser",
"test.restricted_user_ssh");
"/tmp/sshd_config"
create => "true",
edit_line => set_config_values_sshd_match_group("sftponly",
"test.sftponly_group_ssh");
}
bundle edit_line set_config_values_sshd_match_user(user, settings) {
# This bundle only manages settings that it is given, it does not remove
# extraneous settings in the section
vars:
"settings_index" slist => getindices("$(settings)");
"line" string => "Match User $(user)";
"cline" string => canonify("$(line)");
replace_patterns:
"^(?!$(line))Match\s*User\s*$(user)$"
replace_with => value("Match User $(user)"),
comment => "Make sure there is consistency in form",
classes => always("replace_done_$(cline)");
insert_lines:
"$(line)"
ifvarclass => "replace_done_$(cline)";
delete_lines:
"\s*$(settings_index).*"
select_region => sshd_config_match_user("$(user)");
insert_lines:
" $(settings_index) $($(this.settings)[$(this.settings_index)])",
select_region => sshd_config_match_user("$(user)");
}
bundle edit_line set_config_values_sshd_match_group(group, settings) {
# This bundle only manages settings that it is given, it does not remove
# extraneous settings in the section
vars:
"settings_index" slist => getindices("$(settings)");
"line" string => "Match Group $(group)";
"cline" string => canonify("$(line)");
replace_patterns:
"^(?!$(line))Match\s*Group\s*$(group)$"
replace_with => value("Match Group $(group)"),
comment => "Make sure there is consistency in form",
classes => always("replace_done_$(cline)");
insert_lines:
"$(line)"
ifvarclass => "replace_done_$(cline)";
delete_lines:
"\s*$(settings_index).*"
select_region => sshd_config_match_group("$(group)");
insert_lines:
" $(settings_index) $($(this.settings)[$(this.settings_index)])",
select_region => sshd_config_match_group("$(group)");
}
body select_region sshd_config_match_user (x) {
select_start => "^Match\s*User\s*$(x)";
select_end => "^Match\s.*";
include_start_delimiter => "true";
include_end_delimiter => "false";
}
body select_region sshd_config_match_group (x) {
select_start => "^Match\s*Group\s*$(x)";
select_end => "^Match\s.*";
include_start_delimiter => "true";
include_end_delimiter => "false";
}
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
