[MediaWiki-commits] [Gerrit] operations/puppet[production]: Labs: Set SYS_UID_MAX and SYS_GID_MAX to 499

Sat, 10 Dec 2016 21:51:08 -0800 

Tim Landscheidt has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/326311 )

Change subject: Labs: Set SYS_UID_MAX and SYS_GID_MAX to 499
......................................................................

Labs: Set SYS_UID_MAX and SYS_GID_MAX to 499

For historical reasons, LDAP accounts start at uid/gid 500.  However
by default SYS_UID_MAX and SYS_GID_MAX are set to 999, i. e. there is
the theoretical potential for system users being created with
uids/gids already associated with LDAP accounts.

This change sets SYS_UID_MAX and SYS_GID_MAX to 499.

Bug: T45795
Change-Id: Ib2b6c353c0f802f77f900e4330e4eb85c096d67e
---
M modules/role/manifests/labs/instance.pp
1 file changed, 13 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/11/326311/1

diff --git a/modules/role/manifests/labs/instance.pp 
b/modules/role/manifests/labs/instance.pp
index 0431916..0727da2 100644
--- a/modules/role/manifests/labs/instance.pp
+++ b/modules/role/manifests/labs/instance.pp
@@ -75,5 +75,18 @@
         source => 'puppet:///modules/diamond/collector/sshsessions.py',
     }
 
+    # For historical reasons, LDAP users start at uid/gid 500, so we
+    # need to guard against system users being created in that range.
+    file_line { 'login.defs-SYS_UID_MAX':
+        path     => '/etc/login.defs',
+        match    => '#?SYS_UID_MAX\b',
+        line     => 'SYS_UID_MAX               499',
+    }
+    file_line { 'login.defs-SYS_GID_MAX':
+        path     => '/etc/login.defs',
+        match    => '#?SYS_GID_MAX\b',
+        line     => 'SYS_GID_MAX               499',
+    }
+
     hiera_include('classes', [])
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/326311
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib2b6c353c0f802f77f900e4330e4eb85c096d67e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to