augeas modify pam.d argument by relative position

[Tim Mooney]

All-

I've been using puppet (now 2.6.9) and augeas (now 0.7.2 + ruby-augeas 0.3.0)
for a few weeks and I'm a convert.

I'm trying to modify a particular argument to a particular entry in
the RHEL 6.1 /etc/pam.d/password-auth-ac file, and although I've come
up with a way that "works", it's fragile. I'm hoping someone can suggest
a better way.

First, the line in question in /etc/pam.d/password-auth-ac is

auth requisite pam_succeed_if.so uid >= 500 quiet

It's the third line in the "auth" section of that file. The problem
is that we have a few old-timers that have uids in the range 101-499, and
this line causes them problems on login via things like sshd.

In the past we would have scripted something in perl in our kickstart
%post script to switch that particular "500" to be "100".

Using this excellent past thread as a guide:

http://groups.google.com/group/puppet-users/browse_thread/thread/ab96038a5658ec98/cb0c0beb8cd5418b?lnk=gst&q=augeas+%2Bpam#cb0c0beb8cd5418b

I can match the line in question in augtool with:

print /files/etc/pam.d/password-auth-ac/*[type = "auth"][module = "pam_succeed_if.so"]
/files/etc/pam.d/password-auth-ac/3
/files/etc/pam.d/password-auth-ac/3/type = "auth"
/files/etc/pam.d/password-auth-ac/3/control = "requisite"
/files/etc/pam.d/password-auth-ac/3/module = "pam_succeed_if.so"
/files/etc/pam.d/password-auth-ac/3/argument[1] = "uid"
/files/etc/pam.d/password-auth-ac/3/argument[2] = ">="
/files/etc/pam.d/password-auth-ac/3/argument[3] = "500"
/files/etc/pam.d/password-auth-ac/3/argument[4] = "quiet"

The problem is that 'uid', '>=', and '500' are all separate arguments.
I can get puppet to apply my modification if I use an entry like this:

#
# RHEL 6 has a new PAM file that needs to have the nid for "special
# users" adjusted down from 500 to 100.
#
augeas { "pam.d/password-auth-ac_uidfix":
context => '/files/etc/pam.d/password-auth-ac/*[type = "auth"][module = "pam_succeed_if.so"]',
changes => [
"set argument[3] 100",
],
onlyif => 'get argument[3] == "500"'
}

But that only works if argument[1]="uid", argument[2]=">=", and
argument[3]="500". Ideally, my rule would find the position of "uid" in
the line, and then match only if position() + 2 = "500". I've tried
things like:

print /files/etc/pam.d/password-auth-ac/*[type = "auth"][module = "pam_succeed_if.so"][argument[position()] = "uid"]

within augtool and that much works, but as soon as I try something like:

print /files/etc/pam.d/password-auth-ac/*[type = "auth"][module = "pam_succeed_if.so"][argument[position()] = "uid"][argument[position() + 1] = ">="]

it fails to match.

Anyone have an idea how I can rewrite things so that the match isn't
dependent on the exact current order of arguments, and instead matches
relative to the position of a previous argument (uid) or pair of arguments
(uid and >=)?

Any thoughts appreciated,

Tim
--
Tim Mooney Tim.M...@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

[Hean-Seng Tan]

Try this:

print /files/etc/pam.d/password-auth-ac/*[type = "auth"][module = "pam_succeed_if.so"]/argument[preceding-sibling::argument[. = "uid"]][2]