On Nov 4, 9:23 am, Felix Frank <felix.fr...@alumni.tu-berlin.de>
wrote:
> On 11/04/2010 10:40 AM, Martin Alfke wrote:
> > I would assume that you can define a resource default:
>
> > User { ensure => absent }
>
> > and afterwards define the users you would like to be present on your system.
>
> Not at all. This default will apply to all users that you define in your
> manifest. So this
>
> user { [ "www-data","cron" ]: }
>
> will indeed ensure those user's absence,Correct. > but puppet has no concept of > "remove resources I have not declared anywhere". Incorrect. See the discussion above of the "resources" meta-type. It can be used to purge unmanaged resources of any type. In fact, that seems currently to be its *sole* use. I agree with several others' comments, however, that this is a problem that should not arise. It is rarely necessary to grant users unfettered administrative rights to any system, and when such rights are granted it is a bit silly to try to restrict them by the back door. A user with such access and an intent to do harm has so many ways to go about it that you will never block them all. Instead, give users the means to perform only those administrative functions they need to perform, taking care to protect against privilege escalation. If a user really does need complete administrative access, then he is a de facto sysadmin, and he should be saddled with all the corresponding responsibilities. If necessary, you can rope off his computer in a DMZ, or otherwise protect the rest of your network from it, but you cannot protect a computer from its own admin. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
