EarthDevour
commented
5 years ago Just realized if you pass "ALL" as a string to allow users it will add +:ALL:ALL. It works but it is still shady way of doing it..
Closed EarthDevour closed 5 years ago
EarthDevour
commented
5 years ago Just realized if you pass "ALL" as a string to allow users it will add +:ALL:ALL. It works but it is still shady way of doing it..
ghoneycutt
commented
5 years ago Thanks for providing this work around. I'm not excited to remove the the deny all from the last line as this is good security and having +ALL:ALL is generally a very bad thing. If someone wrote a patch that was very clear about the security implications and had all the requisite tests, I would merge that.
https://github.com/ghoneycutt/puppet-module-pam/blob/eaa004deb54de1b64de124d39ea4154ebc587340/templates/access.conf.erb#L11
I have "group" based access control, this doesn't make sense for me and I have no way of disabling last line of deny all other users.
It would be very nice to have "manage_access_conf = true/false" param to disable management of this configuration file so users would be able to chose to use it or not.
In fact, this module should have same thing for all other *.conf files, overwriting bunch of config files is quite odd...