>What's the best way to use cfengine to manage /etc/passwd and /etc/shadow? Ditto.
I think hash comments *are* allowed in the passwd file, at least in FreeBSD they are. But there are other issues as well. - passwd and shadow (or master.passwd) need to be exactly the same except that the shadow file has the password hash. - The shadow file can not be built from the passwd file, but the passwd file could be built from the shadow file. - But keeping a shadow file available to cfengine could compromise the security of the file; the source file or the temporary file made during the copy. - I don't know that cfengine has the ability to modify the password files safely. Modifying either password file without using vipw or the like probably won't update both the passwd and shadow files, which is absolutely required. So, if it is possible to ensure the security of the shadow file while cfengine is running, it should be possible to push out a shadow file and then run vipw or the link to create the passwd file. How can we guarantee the security of the shadow file? ---- Perfection is just a word I use occasionally with mustard. Atom Powers Systems Administrator Pyramid Breweries Inc. 206.682.8322 x251 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Spam Collector Sent: Thursday, March 10, 2005 11:44 AM To: help-cfengine@gnu.org Subject: Ways to manage passwd/shadow files? What's the best way to use cfengine to manage /etc/passwd and /etc/shadow? Managing the entire file as a copy would be easy enough, but how can you just manage a chunk of it? Using edifiles to control a block would have the desired result, except that AFAIK you can't have comment lines in those files (the ### BEGIN and ### END lines I use to manage blocks in other config files). Also, I wouldn't want my shadow passwords to be copied everywhere in the config. I suppose I could use two bogus usernames to define my block and use some of the *File* editfile commands in conjunction with a copy, but that just seems like a hack. Is there a better way to accomplish this? Frank _______________________________________________ Help-cfengine mailing list Help-cfengine@gnu.org http://lists.gnu.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@gnu.org http://lists.gnu.org/mailman/listinfo/help-cfengine
