Managing account shells with augeas

[Bret Wortman]

Next fun topic for today: our security folks want to change all the /sbin/nologin and related shells to /dev/null. Augeas seems the perfect tool for this, but I'm having a devil of a time getting close to something that'll work:

augeas { 'fix-bad-passwd-shells':

    context => "/files/etc/passwd",

    changes => "set */shell[.='/sbin/nologin'] /dev/null",

    onlyif => "match */shell[.='/sbin/nologin'] size > 0",

}

I really wanted my onlyif to look more like:

    onlyif => "match */shell includes nologin"

to catch other variations (like /usr/sbin/nologin), but that didn't work at all. Is there a way to make that work?

And this match works in augtool and when I run puppet, but the "set" doesn't. It just doesn't do anything. I think I'm close -- any augeas experts care to show me the error of my ways? This really feels like black magic.

Bret

[David Lutterkort]

On Wednesday, November 13, 2013 11:23:15 AM UTC-8, Bret Wortman wrote:

Next fun topic for today: our security folks want to change all the /sbin/nologin and related shells to /dev/null. Augeas seems the perfect tool for this, but I'm having a devil of a time getting close to something that'll work:

augeas { 'fix-bad-passwd-shells':

    context => "/files/etc/passwd",

    changes => "set */shell[.='/sbin/nologin'] /dev/null",

    onlyif => "match */shell[.='/sbin/nologin'] size > 0",

}

The problem is that set will only change a single node, and barf if you give it an expression that matches multiple nodes. What you need is setm:

augeas { 'fix-bad-passwd-shells':

    context => "/files/etc/passwd",

    changes => "setm */shell[.='/sbin/nologin'] . /dev/null",

    onlyif => "match */shell[.='/sbin/nologin'] size > 0",

}

 

I really wanted my onlyif to look more like:

    onlyif => "match */shell includes nologin"

You shouldn't really need the onlyif at all - Augeas is smart enough to not do anything when your setm didn't result in any changes (and IIRC the Puppet Augeas type has the same kind of smarts)
 

to catch other variations (like /usr/sbin/nologin), but that didn't work at all. Is there a way to make that work?

You can also select nodes by doing a regexp match against their content; the following should work:

 match */shell[. =~ regexp('.*/nologin$')]

David

[Bret Wortman]

You know what's sad? I looked at setm when I was poking around with augtool, but didn't see any examples using Puppet so I never circled back to it.

I ended up writing a shell script with a sed script inside, distributing that using file and then executing it via an exec in refreshonly mode. I'll give this a second try shortly, though.

Thanks!

Bret Wortman

http://about.me/wortmanbret

--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/l28JtX83izY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/270de415-d94b-4412-96a7-c78ef3bb358b%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.