diff options
| author | Olivier Blin <dev@blino.org> | 2015-12-01 02:34:26 +0100 |
|---|---|---|
| committer | Olivier Blin <dev@blino.org> | 2015-12-01 02:42:40 +0100 |
| commit | d2b415f90acc123d3406d399c60c0a40c70ca861 (patch) | |
| tree | 050b50de09d00b4efe7f206b826fc5e9d838975f /deployment/shadow | |
| parent | 149bbaeb718f6a3cf7e6a6c3158072fccf3925eb (diff) | |
| download | puppet-d2b415f90acc123d3406d399c60c0a40c70ca861.tar puppet-d2b415f90acc123d3406d399c60c0a40c70ca861.tar.gz puppet-d2b415f90acc123d3406d399c60c0a40c70ca861.tar.bz2 puppet-d2b415f90acc123d3406d399c60c0a40c70ca861.tar.xz puppet-d2b415f90acc123d3406d399c60c0a40c70ca861.zip | |
shadow: Specifically change uid/gid max instead of copying custom login.defs
Copying a custom login.defs file is not really a good option, since we
have to manage many distribution versions, which do not necessarily
have the same login.defs settings.
Instead, we now only change the UID_MAX and GID_MAX values to 2000
(from an initial value of 60000). This is done so that locally created
accounts do not overlap LDAP-managed accounts, which starts at 5000.
This uses the file_line helper from the puppetlabs-stdlib module.
It means the puppet-stdlib package now needs to be installed on the
puppet master node.
Diffstat (limited to 'deployment/shadow')
| -rw-r--r-- | deployment/shadow/files/login.defs | 193 | ||||
| -rw-r--r-- | deployment/shadow/manifests/init.pp | 19 |
2 files changed, 17 insertions, 195 deletions
diff --git a/deployment/shadow/files/login.defs b/deployment/shadow/files/login.defs deleted file mode 100644 index 4d966b60..00000000 --- a/deployment/shadow/files/login.defs +++ /dev/null @@ -1,193 +0,0 @@ -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define both, MAIL_DIR takes precedence. -# QMAIL_DIR is for Qmail -# -#QMAIL_DIR Maildir -MAIL_DIR /var/spool/mail -#MAIL_FILE .mail - -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_MIN_LEN Minimum acceptable password length. -# PASS_WARN_AGE Number of days warning given before a password expires. -# -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -#PASS_MIN_LEN 5 -PASS_WARN_AGE 7 - -# -# Min/max values for automatic uid selection in useradd -# -UID_MIN 500 -UID_MAX 2000 - -# -# Min/max values for automatic gid selection in groupadd -# -GID_MIN 500 -GID_MAX 2000 - -# -# If defined, this command is run when removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed (passed as the first argument). -# -# USERDEL_CMD /usr/sbin/userdel_local - -# -# If useradd should create home directories for users by default -# On RH systems, we do. This option is ORed with the -m flag on -# useradd command line. -# -CREATE_HOME yes - -# -# The password hashing method and iteration count to use for group -# passwords that may be set with gpasswd(1). -# -CRYPT_PREFIX $2a$ -CRYPT_ROUNDS 8 - -# -# Whether to use tcb password shadowing scheme. Use 'yes' if using -# tcb and 'no' if using /etc/shadow -# -USE_TCB no - -# -# Whether newly created tcb-style shadow files should be readable by -# group "auth". -# -TCB_AUTH_GROUP yes - -# -# Whether useradd should create symlinks rather than directories under -# /etc/tcb for newly created accounts with UIDs over 1000. See tcb(5) -# for information on why this may be needed. -# -TCB_SYMLINKS no - -# -# Delay in seconds before being allowed another attempt after a login failure -# -FAIL_DELAY 3 - -# -# Enable display of unknown usernames when login failures are recorded. -# -LOG_UNKFAIL_ENAB no - -# -# Enable logging of successful logins -# -LOG_OK_LOGINS no - -# -# Enable "syslog" logging of su activity - in addition to sulog file logging. -# SYSLOG_SG_ENAB does the same for newgrp and sg. -# -SYSLOG_SU_ENAB yes -SYSLOG_SG_ENAB yes - -# -# If defined, either full pathname of a file containing device names or -# a ":" delimited list of device names. Root logins will be allowed only -# upon these devices. -# -CONSOLE /etc/securetty -#CONSOLE console:tty01:tty02:tty03:tty04 - -# -# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then a "ps" will display the -# command is "-su". If not defined, then "ps" would display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su - -# -# If defined, file which inhibits all the usual chatter during the login -# sequence. If a full pathname, then hushed mode will be enabled if the -# user's name or shell are found in the file. If not a full pathname, then -# hushed mode will be enabled if the file exists in the user's home directory. -# -HUSHLOGIN_FILE .hushlogin -#HUSHLOGIN_FILE /etc/hushlogins - -# -# *REQUIRED* The default PATH settings, for superuser and normal users. -# -# (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin -ENV_PATH PATH=/bin:/usr/bin - -# -# Terminal permissions -# -# TTYGROUP Login tty will be assigned this group ownership. -# TTYPERM Login tty will be set to this permission. -# -# If you have a "write" program which is "setgid" to a special group -# which owns the terminals, define TTYGROUP to the group number and -# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign -# TTYPERM to either 622 or 600. -# -TTYGROUP tty -TTYPERM 0600 - -# -# Login configuration initializations: -# -# ERASECHAR Terminal ERASE character ('\010' = backspace). -# KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# UMASK Default "umask" value. -# ULIMIT Default "ulimit" value. -# -# The ERASECHAR and KILLCHAR are used only on System V machines. -# The ULIMIT is used only if the system supports it. -# (now it works with setrlimit too; ulimit is in 512-byte units) -# -# Prefix these values with "0" to get octal, "0x" to get hexadecimal. -# -ERASECHAR 0177 -KILLCHAR 025 -UMASK 022 -#ULIMIT 2097152 - -# -# Max number of login retries if password is bad -# -LOGIN_RETRIES 5 - -# -# Max time in seconds for login -# -LOGIN_TIMEOUT 60 - -# -# Which fields may be changed by regular users using chfn - use -# any combination of letters "frwh" (full name, room number, work -# phone, home phone). If not defined, no changes are allowed. -# For backward compatibility, "yes" = "rwh" and "no" = "frwh". -# -CHFN_RESTRICT rwh - -# -# Should login be allowed if we can't cd to the home directory? -# Default in no. -# -DEFAULT_HOME yes - -# -# Enable setting of the umask group bits to be the same as owner bits -# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is -# the same as gid, and username is the same as the primary group name. -# -# This also enables userdel to remove user groups if no members exist. -# -USERGROUPS_ENAB yes - diff --git a/deployment/shadow/manifests/init.pp b/deployment/shadow/manifests/init.pp index 083f86ba..c24c36bf 100644 --- a/deployment/shadow/manifests/init.pp +++ b/deployment/shadow/manifests/init.pp @@ -1,8 +1,23 @@ class shadow { - file { '/etc/login.defs': + include stdlib + + $login_defs = '/etc/login.defs' + + file { $login_defs: owner => 'root', group => 'shadow', mode => '0640', - source => 'puppet:///modules/shadow/login.defs', + } + + file_line { 'uid_max': + path => $login_defs, + line => 'UID_MAX 2000', + match => '^UID_MAX\s+', + } + + file_line { 'gid_max': + path => $login_defs, + line => 'GID_MAX 2000', + match => '^GID_MAX\s+', } } |