Issue #19005 has been updated by John Moser.
The relevant block is:
sudogroup: 'sudo'
users:
echo:
comment: 'Not really his name'
uid: '1002'
gid: 'users'
groups: 'puppet'
password: '$1$faeHfk0S$02x5dK00Bo5bxSXYEDbCm.'
sudo: 'yes'
I removed the 'sudo' line after editing the common.yaml line.
The resources are created by
create_resources(create_user_type, hiera('users'))
Which contains
define create_user_type(
$uid,
$gid,
$password,
$comment,
$groups = '',
$sudo = 'no',
$name = $title,
$shell = '/bin/bash',
) {
$sudogroup = hiera('sudogroup')
if ( $sudo == 'yes' ) {
$totalgroups = flatten([ $sudogroup, $groups ])
}
else {
$totalgroups = $group
}
user { $title:
ensure => present,
name => $name,
gid => $gid,
groups => $totalgroups,
uid => $uid,
comment => $comment,
shell => $shell,
managehome => true,
membership => 'inclusive',
password => $password,
tag => 'definedusers',
}
}
It wasn't using hiera to fill $sudogroup before, but it is now.
It seems to work as expected when I add a new group. When I remove groups
without adding new groups, nothing happens.
So it seems if I add group 'mysql' to the user and remove 'sudo', it gives the
user 'mysql' and takes him out of 'sudo'. If I remove group 'sudo' without
adding 'mysql' (or any other group), nothing happens.
Found an unrelated hiera bug while trying to test this one too, so off to see
if I need to file that.
----------------------------------------
Bug #19005: Useradd does not remove groups when 'inclusive'
https://projects.puppetlabs.com/issues/19005#change-82348
Author: John Moser
Status: Needs More Information
Priority: High
Assignee: John Moser
Category:
Target version:
Affected Puppet version: 3.0.2
Keywords:
Branch:
This is not a duplicate of #2249
I have some such block:
user { $title:
ensure => present,
name => $name,
gid => $gid,
groups => $totalgroups,
uid => $uid,
comment => $comment,
shell => $shell,
managehome => true,
membership => inclusive, # have tried in quotes too
password => $password,
tag => 'definedusers',
}
After repeated runs, it won't remove users from groups they don't belong in.
See:
$ cat /etc/group|grep sudo
sudo:x:27:baker,charlie
$ puppet agent --test
Notice: /Stage[main]//Node[common]/Create_user_type[echo]/User[echo]/groups:
groups changed 'puppet' to
'adm,cdrom,dip,lpadmin,plugdev,puppet,sambashare,sudo'
$ cat /etc/group|grep sudo
sudo:x:27:baker,charlie,echo
Puppet has added the user to sudo. I'll remove this from Hiera.
$ vi common.yaml
...
$ puppet agent --test
$ cat /etc/group|grep sudo
sudo:x:27:baker,charlie,echo
Puppet has NOT removed the user from
$ sudo usermod -G puppet echo
$ cat /etc/group|grep sudo
sudo:x:27:baker,charlie
$ puppet agent --test
$ cat /etc/group|grep sudo
sudo:x:27:baker,charlie
However puppet has not added the user back, either. It seems that the docs say
this should not happen:
membership
Whether specified groups should be considered the complete list
(inclusive) or the minimum
list (minimum) of groups to which the user belongs. Defaults to minimum.
Valid values are
inclusive, minimum.
-- http://docs.puppetlabs.com/references/latest/type.html#user
As shown above, the membership is "inclusive".
This breaks expected security-related behavior so priority is rather high.
$ puppet --version
3.0.2
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
