Tim Landscheidt has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/326311 )
Change subject: Labs: Set SYS_UID_MAX and SYS_GID_MAX to 499 ...................................................................... Labs: Set SYS_UID_MAX and SYS_GID_MAX to 499 For historical reasons, LDAP accounts start at uid/gid 500. However by default SYS_UID_MAX and SYS_GID_MAX are set to 999, i. e. there is the theoretical potential for system users being created with uids/gids already associated with LDAP accounts. This change sets SYS_UID_MAX and SYS_GID_MAX to 499. Bug: T45795 Change-Id: Ib2b6c353c0f802f77f900e4330e4eb85c096d67e --- M modules/role/manifests/labs/instance.pp 1 file changed, 13 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/11/326311/1 diff --git a/modules/role/manifests/labs/instance.pp b/modules/role/manifests/labs/instance.pp index 0431916..0727da2 100644 --- a/modules/role/manifests/labs/instance.pp +++ b/modules/role/manifests/labs/instance.pp @@ -75,5 +75,18 @@ source => 'puppet:///modules/diamond/collector/sshsessions.py', } + # For historical reasons, LDAP users start at uid/gid 500, so we + # need to guard against system users being created in that range. + file_line { 'login.defs-SYS_UID_MAX': + path => '/etc/login.defs', + match => '#?SYS_UID_MAX\b', + line => 'SYS_UID_MAX 499', + } + file_line { 'login.defs-SYS_GID_MAX': + path => '/etc/login.defs', + match => '#?SYS_GID_MAX\b', + line => 'SYS_GID_MAX 499', + } + hiera_include('classes', []) } -- To view, visit https://gerrit.wikimedia.org/r/326311 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib2b6c353c0f802f77f900e4330e4eb85c096d67e Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits