removing "minimum_uid=1000" value from all my pam config files

[Peter K]

I'm trying to remove a specific configuration value, "minimum_uid=1000", from multiple lines in several files (currently 5 files) in /etc/pam.d/.

A typical line looks like this:

auth     [success=1 default=ignore]      pam_ldap.so use_first_pass minimum_uid=1000

I've tried exec and sed, but I couldn't figure out the necessary escaping to get the filename variable to parse (here I test with 'abc'):

define removeMinimumUID(){

    exec { '${filename}':

      command => "/usr/bin/sed -i \'s|abc|cab|g\' ${filename}",

      onlyif => '/usr/bin/test -e ${filename}',

      refresh => '/usr/bin/true',

      provider => 'posix',

      logoutput => on_failure,

    }

}

RemoveMinimumUID { "/mnt/NY_Interactive/dev/peter/puppet/abc.txt": }

Error:

Executing: '/usr/bin/sed -i 's|abc|cab|g' '^[[0m

^[[mNotice: /Stage[main]/Main/Removeminimumuid[/mnt/NY_Interactive/dev/peter/puppet/abc.txt]/Exec[${filename}]/returns: /usr/bin/sed: no input files^[[0m

If I substitute the fully qualified filename with the filename variable on the 'commmand' parameter line, the script runs fine.

Then I tried stdlibs' file_line but I couldn't figure out how to replace a substring without identifying the entire replacement string:

file { '/home/peter/dev/puppet/abc.txt':
  ensure => present,
}->
file_line { 'Append a line to /home/peter/dev/puppet/abc.txt':
  path => '/home/peter/dev/puppet/abc.txt',
  line => 'cab',
  multiple => true,
  match   => "abc$",
}

I'm currently looking at augeas but no luck yet.

Suggestions?

thx...

[jcbollinger]

On Thursday, March 30, 2017 at 12:58:46 PM UTC-5, Peter K wrote:

 

I've tried exec and sed, but I couldn't figure out the necessary escaping to get the filename variable to parse (here I test with 'abc'):

define removeMinimumUID(){

    exec { '${filename}':

      command => "/usr/bin/sed -i \'s|abc|cab|g\' ${filename}",

      onlyif => '/usr/bin/test -e ${filename}',

      refresh => '/usr/bin/true',

      provider => 'posix',

      logoutput => on_failure,

    }

}

RemoveMinimumUID { "/mnt/NY_Interactive/dev/peter/puppet/abc.txt": }

Error:

Executing: '/usr/bin/sed -i 's|abc|cab|g' '^[[0m

^[[mNotice: /Stage[main]/Main/Removeminimumuid[/mnt/NY_Interactive/dev/peter/puppet/abc.txt]/Exec[${filename}]/returns: /usr/bin/sed: no input files^[[0m

This is only incidentally an escaping problem.  The main issue is that the defined type you present uses a variable $filename from the local scope, but you do not define any such variable in the local scope.  Therefore, when evaluated as a variable reference, $filename expands to nothing.  You can in fact see that in the command string that the exec reports itself to be using.  It looks like you meant to use $title instead, or perhaps to define $filename = $title.

Having fixed that, your Exec resource ought to work despite the quoting / escaping problem associated with its title.  For the record, however, you can solve that minor issue by changing the single quotes to double quotes ("${filename}") or by omitting them altogether.  Personally, though, since you're not using the command itself as the title, I would provide a more descriptive title, something like

exec { "remove minimum UID in ${filename}":
  # ...
}

John

[John Gelnaw]

Check your quotes-- you can't interpolate a variable within single quotes. 

Personally, I went a bit more brute-force:

exec { '/usr/bin/sed -i -e s/uid=1000/uid=900/ *':
    cwd         => '/etc/pam.d',
    subscribe   => File['/etc/krb5.conf'],
    refreshonly => true
}

But getting rid of minimum UID completely might have unexpected behavior-- do you really want to manage your root password via PAM_LDAP?

[Peter K]

@jcbollinger:

Thank you so much. Sometimes when you've been looking at code a while you just can't see the obvious. I started with code you created in another post and finished it with your help. Here's the finished code:

class replacepattern {
    define replace($file,$pattern,$newstring){
        exec { "replace pattern with newstring in ${file}":
        command => "sed -i \'s|${pattern}|${newstring}|g\' '${file}'",
        onlyif => "test -e ${file}",
        refresh => 'true',
        provider => 'posix',
        logoutput => false,       }    }     }

and in site.pp:

        include ::replacepattern
        ::replacepattern::replace { "common-auth":

           file => "/etc/pam.d/common-auth",
           pattern => "minimum_uid=1000",
           newstring => "minimum_uid=400",        }

@John Gelnaw:

My manager and I took you advice and changed our strategy to replace the minimum to 400 (OSX starts at 500).

And I really like your code but I can't figure out a file to subscribe to. I might just have to create one.

[Peter K]

Oh, yeah, and this goes into the site.pp:

Exec { path => '/bin/:/sbin/:/usr/bin/:/usr/sbin/' } ### This helps with ...
                ### exec resources (like researchpattern) so you don't need to specify binary paths for debian/redhat

[Garrett Honeycutt]

On 3/30/17 1:58 PM, Peter K wrote:
> I'm trying to remove a specific configuration value, "minimum_uid=1000",
> from multiple lines in several files (currently 5 files) in /etc/pam.d/.
> A typical line looks like this:
> |

> auth [success=1default=ignore] pam_ldap.so use_first_pass

> minimum_uid=1000
> |
>
> I've tried exec and sed, but I couldn't figure out the necessary
> escaping to get the filename variable to parse (here I test with 'abc'):
> |
> define removeMinimumUID(){
> exec { '${filename}':
> command => "/usr/bin/sed -i \'s|abc|cab|g\' ${filename}",
> onlyif => '/usr/bin/test -e ${filename}',
> refresh => '/usr/bin/true',
> provider => 'posix',
> logoutput => on_failure,
> }
> }
>
> RemoveMinimumUID { "/mnt/NY_Interactive/dev/peter/puppet/abc.txt": }
> |
>
> Error:
> Executing: '/usr/bin/sed -i 's|abc|cab|g' '^[[0m
> ^[[mNotice:
> /Stage[main]/Main/Removeminimumuid[/mnt/NY_Interactive/dev/peter/puppet/abc.txt]/Exec[${filename}]/returns:
> /usr/bin/sed: no input files^[[0m
>
> If I substitute the fully qualified filename with the filename variable
> on the 'commmand' parameter line, the script runs fine.
>
>
>
> Then I tried stdlibs' file_line but I couldn't figure out how to replace
> a substring without identifying the entire replacement string:
> |
>
>
> file {'/home/peter/dev/puppet/abc.txt':

> ensure=>present,

> }->
> file_line {'Append a line to /home/peter/dev/puppet/abc.txt':
> path =>'/home/peter/dev/puppet/abc.txt',
> line =>'cab',
> multiple =>true,
> match =>"abc$",
> }
> |
>
>
> I'm currently looking at augeas but no luck yet.
>
> Suggestions?
> thx...
>

Hi Peter,

The Puppet approach would be to specify the end state as opposed to
running sed against a file. The sed approach will ensure you removed a
specific line, though it does not ensure the content of the entire file.
This is especially important with PAM to ensure it is configured correctly.

Checkout my Puppet Approved pam module[1] where you can specify what
lines should be in your pam configs.

[1] - https://forge.puppet.com/ghoneycutt/pam

Best regards,
-g


--
Garrett Honeycutt
@learnpuppet
Puppet Training with LearnPuppet.com
Mobile: +1.206.414.8658

[Peter K]

Garrett,

I'd like to use a puppet module to use an indempotent approach to establishing these config files...but I need to fix *just* these specific settings instead of learning pam well enough to configure a pam module. 

For lack of expertise, I'm leaning heavily on the default config files to be correct and I'm wary of hardcoding them into a puppet configuration that might not get updated when my pam packages get updated.

Of course I may not understand your module well enough...maybe it would provide the defaults I need. Maybe there's a way to only adjust the maximum uid of system users.

I'd really like to see more examples of how to use it.

thx,

-peter