Re: [augeas-devel] adding pam_tally to system-auth

Fri, 05 Jun 2009 10:37:21 -0700 

Hi David,

On Fri, 2009-06-05 at 12:22 +0100, David Robinson wrote:
> I'm trying to use augeas to setup pam_tally, but have run into a few problems.
> 
> I'm doing this (there's 14 entries in the file, 15 adds a new one:
> 
> set /files/etc/pam.d/system-auth/15/type auth
> set /files/etc/pam.d/system-auth/15/control required
> set /files/etc/pam.d/system-auth/15/module pam_tally.so
> set /files/etc/pam.d/system-auth/15/argument[1] onerr=fail
> set /files/etc/pam.d/system-auth/15/argument[2] deny=6
> set /files/etc/pam.d/system-auth/15/argument[3] unlock_time=300
> save
> 
> Which gives:
> 
> --- system-auth.augsave       2009-05-20 13:49:53.000000000 +0000
> +++ system-auth       2009-06-05 11:15:45.000000000 +0000
> @@ -18,3 +18,4 @@
>  session     required      pam_limits.so
>  session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
>  session     required      pam_unix.so
> +auth required        pam_tally.so    onerr=fail      deny=6  unlock_time=300
> 
> But I want the line to appear with all the other auth stuff, eg:
> 
> --- system-auth.augsave       2009-05-20 13:49:53.000000000 +0000
> +++ system-auth.correct       2009-06-05 11:32:55.000000000 +0000
> @@ -5,6 +5,7 @@
>  auth        sufficient    pam_unix.so nullok try_first_pass
>  auth        requisite     pam_succeed_if.so uid >= 500 quiet
>  auth        required      pam_deny.so
> +auth        required      pam_tally.so onerr=fail deny=6 unlock_time=300
> 
>  account     required      pam_unix.so
>  account     sufficient    pam_succeed_if.so uid < 500 quiet
> 
> How can I insert a line into the middle of a file, and how can I find
> where in the file it should be inserted?

You need to explicitly insert a node using 'ins' (aug_insert in the C
API) - 'set' creates nodes that don't exist yet as a convenience, but
always puts them at the end.

To insert a new node after the last existing 'auth' line, you'd write

        defvar t /files/etc/pam.d/system-auth   # Just a convenience, works 
only in 0.5.0
        ins 01 after $t/*[type='auth'][last()]
        set $t/01/type auth
        set $t/01/control required
        ...
        save
        
When the tree contains numbered nodes (like it does
underneath /files/etc/pam.d/system-auth), it is best to use a label that
starts with a '0' for new nodes, since you can be sure that that will
never be produced when the file is read in. Augeas treats these labels
as strings, and their numeric value doesn't matter - the order in which
they get written to the file is the order in which they appear in the
tree, not their numeric order.

David


_______________________________________________
augeas-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/augeas-devel

Reply via email to