[MediaWiki-commits] [Gerrit] labs: widen access.conf exception to everything LOCAL - change (operations/puppet)

Thu, 17 Dec 2015 07:09:00 -0800 

Faidon Liambotis has submitted this change and it was merged.

Change subject: labs: widen access.conf exception to everything LOCAL
......................................................................


labs: widen access.conf exception to everything LOCAL

Commit ad2874ee9cc74585a1f685e836852e5c3ab26676 added an access.conf
exception for cron, that was broken since the latest round of PAM
reorganization.

The commit message for the above mentioned that "[t]his will fix cron,
but of course there is still a possibility we'll see effects of our
access.conf configuration elsewhere (e.g. if we were using atd)".
Unfortunately that turned to be the case, with at least "su" known to be
broken.

Instead of playing whack-a-mole with various different commands, use
pam_access' LOCAL directive to allow everything locally-originated on
the system. This should fix all of the effects we're seeing, while at
the same time giving us the necessary protection we require for ssh.

Bug: T121765
Change-Id: Id741e12d5cafed0a91710bd22ecff3b89c59e994
---
M modules/ldap/manifests/role/client.pp
1 file changed, 3 insertions(+), 3 deletions(-)

Approvals:
  Andrew Bogott: Looks good to me, but someone else must approve
  Faidon Liambotis: Verified; Looks good to me, approved



diff --git a/modules/ldap/manifests/role/client.pp 
b/modules/ldap/manifests/role/client.pp
index 59d7587..68a1e4b 100644
--- a/modules/ldap/manifests/role/client.pp
+++ b/modules/ldap/manifests/role/client.pp
@@ -4,9 +4,9 @@
     if ( $::realm == 'labs' ) {
         $includes = ['openldap', 'pam', 'nss', 'sudo', 'utils']
 
-        # always allow cron for all users in the system
-        security::access::config { 'labs-cron':
-            content  => "+:ALL:cron\n",
+        # bypass pam_access restrictions for local commands
+        security::access::config { 'labs-local':
+            content  => "+:ALL:LOCAL\n",
             priority => '00',
         }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/259705
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Id741e12d5cafed0a91710bd22ecff3b89c59e994
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to