search

voxpupuli / puppet-augeasproviders_pam

Augeas-based PAM type and provider for Puppet
Other
5 stars 21 forks source link

arguments being striped when two pam resources act on same module #26

Closed smokecatcher closed 4 years ago

smokecatcher commented 4 years ago

I need to have the following in my /etc/pam.d/postlogin:

session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp showfailed
session     required      pam_lastlog.so  noupdate showfailed

I created the following pam resources:

pam { 'pam_lastlog.so_ default_control':
  ensure => positioned,
  service => 'postlogin',
  type => 'session',
  control => '[default=1]',
  control_is_param => true,
  module => 'pam_lastlog.so',
  arguments => ['nowtmp', 'showfailed'],
  position => 'after *[type="session" and module="pam_succeed_if.so"]',
}

pam { 'pam_lastlog.so_ required_control':
  ensure => positioned,
  service => 'postlogin',
  type => 'session',
  control => 'required',
  module => 'pam_lastlog.so',
  arguments => ['noupdate', 'showfailed'],
  position => 'after *[type="session" and module="pam_lastlog.so" and control="[default=1]"]',
}

Starting with a /etc/pam.d/postlogin file of:

session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet

What this gives me in the /etc/pam.d/postlogin file is:

session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so
session     required      pam_lastlog.so

So where did my arguments go?

Version of herculesteam-augeasproviders_pam is 2,2.1, on PE 2019.2 working on RHEL7 test system.

raphink commented 4 years ago

There's a typo in your definition (arguments => '['nowtmp', 'showfailed'], ). I assume this is a copy/paste issue?

smokecatcher commented 4 years ago

Yes, that's a typo. I have to hand copy everything from a disconnected network

raphink commented 4 years ago

You're missing control_is_param in the second definition. Also, you should order the two resources:

pam { 'pam_lastlog.so_ default_control':
  ensure => positioned,
  service => 'postlogin',
  type => 'session',
  control => '[default=1]',
  control_is_param => true,
  module => 'pam_lastlog.so',
  arguments => ['nowtmp', 'showfailed'],
  position => 'after *[type="session" and module="pam_succeed_if.so"]',
}
->
pam { 'pam_lastlog.so_ required_control':
  ensure => positioned,
  service => 'postlogin',
  type => 'session',
  control => 'required',
  control_is_param => true,
  module => 'pam_lastlog.so',
  arguments => ['noupdate', 'showfailed'],
  position => 'after *[type="session" and module="pam_lastlog.so" and control="[default=1]"]',
}

works fine for me