search

voxpupuli / puppet-augeasproviders_pam

Augeas-based PAM type and provider for Puppet
Other
5 stars 21 forks source link

Same module and control (control_is_param) not working #28

Open Fabian1976 opened 3 years ago

Fabian1976 commented 3 years ago

I'm trying to accomplish this in /etc/pam.d/password-auth:

auth required pam_faillock.so preauth silent deny=5 unlock_time=900
auth required pam_faillock.so authfail deny=5 unlock_time=900

And i'm using this code:

    pam { '(5.4.2) - pam_faillock preauth password-auth':
      ensure           => present,
      service          => 'password-auth',
      type             => 'auth',
      control          => 'required',
      control_is_param => true,
      module           => 'pam_faillock.so',
      arguments        => [
        'preauth',
        'silent',
        'deny=5',
        'unlock_time=900'
      ],
    }
    pam { '(5.4.2) - pam_faillock authfail password-auth':
      ensure           => present,
      service          => 'password-auth',
      type             => 'auth',
      control          => 'required',
      control_is_param => true,
      module           => 'pam_faillock.so',
      arguments        => [
        'authfail',
        'deny=5',
        'unlock_time=900'
      ],
    }

But each puppet-run the first block get applied (preauth) and then the second one corrects the first one (authfail). So in the end, I only have this line:

auth required pam_faillock.so authfail deny=5 unlock_time=900

Am I missing something?

I've also tried changed ensure => present to ensure => positioned and adding a position, but that didn't work either.

I gave the top block this position:

position         => 'before *[type="auth" and module="pam_unix.so"]',

And the bottom one this:

position         => 'after *[type="auth" and module="pam_unix.so"]',

But the result is the same.

Any ideas or suggestions would be helpfull.

Fabian1976 commented 3 years ago

Seems like it is in this part of the code: https://github.com/hercules-team/augeasproviders_pam/blob/5f8eb29fdf4d06082e331bdda17e0f643e2e8be9/lib/puppet/provider/pam/augeas.rb#L45

Compare is only done by service, type, module and control. It doesn't look at the parameters. So if those 4 are the same but the arguments differ, the above happens.

Can anyone fix this?

jakerundall commented 2 years ago

I have a workaround, which is to have Puppet put the 2nd rule in a new service file, e.g., 'service => password-auth-custom', and then include that service in the main password-auth config, e.g.: ... service => 'password-auth', type => 'auth', control => 'include', module => 'password-auth-custom', ...

It's not very scalable but it does work.