Forum: Cfengine Help
Subject: Re: We need +1 function, shadowexists() to complement userexists() and
groupexists()
Author: sauer
Link to topic: https://cfengine.com/forum/read.php?3,21315,21332#msg-21332
Seva Gluschenko Wrote:
-------------------------------------------------------
> Mike, I didn't say a word about shadow function )
> My objection was directed to Mr. Sauer who defined
> that Cfengine behaviour as reasonable.
Oh. In that case, then let me reiterate that userexists() and groupexists()
directly map to POSIX getpw* and getgr* functions which query user databases
and group databases; they do not directly check any file. These database need
not be /etc/passwd or /etc/group; on Linux, it's whatever database(s) are
configured in the user or group section of nsswitch.conf. AIX uses methods.cfg
and the SYSTEM parameter in /etc/security/user to manage LAM. Even Windows
versions >= NT4 should work, despite not having an /etc/passwd. In any case,
the concept of a shadow file is not appropriate as a similar function, largely
because "shadow" means nothing; it's a per-vendor extension of the user
database, and we already have a function which queries the user database. :)
What's being done in the standard library is, IMHO, an abuse of userexists().
That function checks to see if a user is known to the system; it does *not*
check to see if a user is in the /etc/passwd file. There's a subtle
difference, and it's only coincidence that the two results are sometimes the
same. In fact, were someone to change nsswitch to check LDAP first and never
reference files, this operation would never converge. Cfengine would keep
appending this line, and userexists() would keep reporing that the user doesn't
exist. That's unlikely to happen, but I have AIX systems which are configured
to look at LDAP by default, and only look locally for certain users - so this
would definitely never converge there. Likely or not, the library is still
idealogically wrong to repair a promise based on a potentially unrelated
validation step.
The library above should really be doing something more like this
"add_$(index)" expression => islessthan(
countlinesmatching("$(index):.*","/etc/passwd"), "1");
in order to validate that $(index) is actually in /etc/passwd. If it had been
written that way, it would be much more clear that isshadow() is not the
appropriate extension. Rather, countlinesmatching($(index):.*, "/etc/shadow")
would become the obvious extension of the above for a typical Linux shadow file.
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
