On Wednesday, November 13, 2013 11:23:15 AM UTC-8, Bret Wortman wrote:
>
> Next fun topic for today: our security folks want to change all the
> /sbin/nologin and related shells to /dev/null. Augeas seems the perfect
> tool for this, but I'm having a devil of a time getting close to something
> that'll work:
>
> augeas { 'fix-bad-passwd-shells':
> context => "/files/etc/passwd",
> changes => "set */shell[.='/sbin/nologin'] /dev/null",
> onlyif => "match */shell[.='/sbin/nologin'] size > 0",
> }
>
The problem is that set will only change a single node, and barf if you
give it an expression that matches multiple nodes. What you need is setm:
augeas { 'fix-bad-passwd-shells':
context => "/files/etc/passwd",
changes => "setm */shell[.='/sbin/nologin'] . /dev/null",
onlyif => "match */shell[.='/sbin/nologin'] size > 0",
}
> I really wanted my onlyif to look more like:
>
> onlyif => "match */shell includes nologin"
>
You shouldn't really need the onlyif at all - Augeas is smart enough to not
do anything when your setm didn't result in any changes (and IIRC the
Puppet Augeas type has the same kind of smarts)
> to catch other variations (like /usr/sbin/nologin), but that didn't work
> at all. Is there a way to make that work?
>
You can also select nodes by doing a regexp match against their content;
the following should work:
match */shell[. =~ regexp('.*/nologin$')]
David
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/270de415-d94b-4412-96a7-c78ef3bb358b%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
