On Mon, Apr 11, 2011 at 7:30 PM, hai wu <haiwu...@gmail.com> wrote: > We need to manage /etc/passwd where there would be one line at the very end > of the file to restrict access to all users not explictly allowed: > > +::::::/sbin/nologin > > If using delete_lines and append_if_no_such_lines (similar to this one at > http://www.debian-administration.org/articles/528) to manage access control, > each time a few new users got appended to /etc/passwd file, the above line > would be deleted and appended, for many times, while it only needs to be > done once. > > Any better way to manage this file in terms of access control? Augeas is > buggy and I filed a bug report on this already. >
I just dealt with this in our puppet config -- I wrote a nis_modify_passwd script that has a --checkonly flag (for the exec's onlyif condition), and a --add function. I used lckpwdf (3) - get shadow password file entry ulckpwdf (3) - get shadow password file entry to lock the passwd file during the change -- and made sure not to edit the passwd file in place -- I make a 2nd copy, then mv it into place to ensure it works when out of diskspace. BUT.. after doing all of this, I later realized that in the nsswitch.conf, 'compat' mode for /etc/passwd sets the default for NIS to not allow anyone unless explicitly added to the /etc/passwd. So another way to deal with this is to change your nsswitch.conf to be 'compat' and not 'files nis'. In other words, 'files nis' more or less does a #include of all NIS users, so you have to added an explicit global /sbin/nologin to your passwd file -- but 'compat' allows you to hand pick which NIS users you want and defaults to nologin. Unfortunately, useradd doesn't seem to handle +user's... Rich -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
