FAQ
Next fun topic for today: our security folks want to change all the
/sbin/nologin and related shells to /dev/null. Augeas seems the perfect
tool for this, but I'm having a devil of a time getting close to something
that'll work:

augeas { 'fix-bad-passwd-shells':
     context => "/files/etc/passwd",
     changes => "set */shell[.='/sbin/nologin'] /dev/null",
     onlyif => "match */shell[.='/sbin/nologin'] size > 0",
}

I really wanted my onlyif to look more like:

     onlyif => "match */shell includes nologin"

to catch other variations (like /usr/sbin/nologin), but that didn't work at
all. Is there a way to make that work?

And this match works in augtool and when I run puppet, but the "set"
doesn't. It just doesn't do anything. I think I'm close -- any augeas
experts care to show me the error of my ways? This really feels like black
magic.


Bret

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ca56fd84-1395-49e7-a547-efbbaf47dae4%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • David Lutterkort at Nov 14, 2013 at 3:25 pm

    On Wednesday, November 13, 2013 11:23:15 AM UTC-8, Bret Wortman wrote:
    Next fun topic for today: our security folks want to change all the
    /sbin/nologin and related shells to /dev/null. Augeas seems the perfect
    tool for this, but I'm having a devil of a time getting close to something
    that'll work:

    augeas { 'fix-bad-passwd-shells':
    context => "/files/etc/passwd",
    changes => "set */shell[.='/sbin/nologin'] /dev/null",
    onlyif => "match */shell[.='/sbin/nologin'] size > 0",
    }
    The problem is that set will only change a single node, and barf if you
    give it an expression that matches multiple nodes. What you need is setm:

    augeas { 'fix-bad-passwd-shells':
         context => "/files/etc/passwd",
         changes => "setm */shell[.='/sbin/nologin'] . /dev/null",
         onlyif => "match */shell[.='/sbin/nologin'] size > 0",
    }


    I really wanted my onlyif to look more like:

    onlyif => "match */shell includes nologin"
    You shouldn't really need the onlyif at all - Augeas is smart enough to not
    do anything when your setm didn't result in any changes (and IIRC the
    Puppet Augeas type has the same kind of smarts)

    to catch other variations (like /usr/sbin/nologin), but that didn't work
    at all. Is there a way to make that work?
    You can also select nodes by doing a regexp match against their content;
    the following should work:

      match */shell[. =~ regexp('.*/nologin$')]

    David

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/270de415-d94b-4412-96a7-c78ef3bb358b%40googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Bret Wortman at Nov 14, 2013 at 3:33 pm
    You know what's sad? I looked at setm when I was poking around with
    augtool, but didn't see any examples using Puppet so I never circled back
    to it.

    I ended up writing a shell script with a sed script inside, distributing
    that using file and then executing it via an exec in refreshonly mode. I'll
    give this a second try shortly, though.

    Thanks!




    *Bret Wortman*
    http://about.me/wortmanbret


    On Wed, Nov 13, 2013 at 2:47 PM, David Lutterkort wrote:
    On Wednesday, November 13, 2013 11:23:15 AM UTC-8, Bret Wortman wrote:

    Next fun topic for today: our security folks want to change all the
    /sbin/nologin and related shells to /dev/null. Augeas seems the perfect
    tool for this, but I'm having a devil of a time getting close to something
    that'll work:

    augeas { 'fix-bad-passwd-shells':
    context => "/files/etc/passwd",
    changes => "set */shell[.='/sbin/nologin'] /dev/null",
    onlyif => "match */shell[.='/sbin/nologin'] size > 0",
    }
    The problem is that set will only change a single node, and barf if you
    give it an expression that matches multiple nodes. What you need is setm:

    augeas { 'fix-bad-passwd-shells':
    context => "/files/etc/passwd",
    changes => "setm */shell[.='/sbin/nologin'] . /dev/null",
    onlyif => "match */shell[.='/sbin/nologin'] size > 0",
    }


    I really wanted my onlyif to look more like:

    onlyif => "match */shell includes nologin"
    You shouldn't really need the onlyif at all - Augeas is smart enough to
    not do anything when your setm didn't result in any changes (and IIRC the
    Puppet Augeas type has the same kind of smarts)

    to catch other variations (like /usr/sbin/nologin), but that didn't work
    at all. Is there a way to make that work?
    You can also select nodes by doing a regexp match against their content;
    the following should work:

    match */shell[. =~ regexp('.*/nologin$')]

    David

    --
    You received this message because you are subscribed to a topic in the
    Google Groups "Puppet Users" group.
    To unsubscribe from this topic, visit
    https://groups.google.com/d/topic/puppet-users/l28JtX83izY/unsubscribe.
    To unsubscribe from this group and all its topics, send an email to
    puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit
    https://groups.google.com/d/msgid/puppet-users/270de415-d94b-4412-96a7-c78ef3bb358b%40googlegroups.com
    .
    For more options, visit https://groups.google.com/groups/opt_out.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAN9oxgSxYJuYXzyTN_y%2BVRe67PpysadFhOCxOo7rN6_2jrzYcQ%40mail.gmail.com.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedNov 13, '13 at 7:23p
activeNov 14, '13 at 3:33p
posts3
users2
websitepuppetlabs.com

2 users in discussion

Bret Wortman: 2 posts David Lutterkort: 1 post

People

Translate

site design / logo © 2022 Grokbase