You know what's sad? I looked at setm when I was poking around with augtool, but didn't see any examples using Puppet so I never circled back to it.
I ended up writing a shell script with a sed script inside, distributing that using file and then executing it via an exec in refreshonly mode. I'll give this a second try shortly, though. Thanks! *Bret Wortman* http://about.me/wortmanbret On Wed, Nov 13, 2013 at 2:47 PM, David Lutterkort <[email protected]>wrote: > On Wednesday, November 13, 2013 11:23:15 AM UTC-8, Bret Wortman wrote: >> >> Next fun topic for today: our security folks want to change all the >> /sbin/nologin and related shells to /dev/null. Augeas seems the perfect >> tool for this, but I'm having a devil of a time getting close to something >> that'll work: >> >> augeas { 'fix-bad-passwd-shells': >> context => "/files/etc/passwd", >> changes => "set */shell[.='/sbin/nologin'] /dev/null", >> onlyif => "match */shell[.='/sbin/nologin'] size > 0", >> } >> > > The problem is that set will only change a single node, and barf if you > give it an expression that matches multiple nodes. What you need is setm: > > augeas { 'fix-bad-passwd-shells': > context => "/files/etc/passwd", > changes => "setm */shell[.='/sbin/nologin'] . /dev/null", > onlyif => "match */shell[.='/sbin/nologin'] size > 0", > } > > > >> I really wanted my onlyif to look more like: >> >> onlyif => "match */shell includes nologin" >> > > You shouldn't really need the onlyif at all - Augeas is smart enough to > not do anything when your setm didn't result in any changes (and IIRC the > Puppet Augeas type has the same kind of smarts) > > >> to catch other variations (like /usr/sbin/nologin), but that didn't work >> at all. Is there a way to make that work? >> > > You can also select nodes by doing a regexp match against their content; > the following should work: > > match */shell[. =~ regexp('.*/nologin$')] > > David > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/l28JtX83izY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/270de415-d94b-4412-96a7-c78ef3bb358b%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAN9oxgSxYJuYXzyTN_y%2BVRe67PpysadFhOCxOo7rN6_2jrzYcQ%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
