[augeas-devel] adding pam_tally to system-auth

David Lutterkort lutter at redhat.com
Fri Jun 5 17:37:15 UTC 2009 

Hi David,

On Fri, 2009-06-05 at 12:22 +0100, David Robinson wrote:
> I'm trying to use augeas to setup pam_tally, but have run into a few problems.
> 
> I'm doing this (there's 14 entries in the file, 15 adds a new one:
> 
> set /files/etc/pam.d/system-auth/15/type auth
> set /files/etc/pam.d/system-auth/15/control required
> set /files/etc/pam.d/system-auth/15/module pam_tally.so
> set /files/etc/pam.d/system-auth/15/argument[1] onerr=fail
> set /files/etc/pam.d/system-auth/15/argument[2] deny=6
> set /files/etc/pam.d/system-auth/15/argument[3] unlock_time=300
> save
> 
> Which gives:
> 
> --- system-auth.augsave	2009-05-20 13:49:53.000000000 +0000
> +++ system-auth	2009-06-05 11:15:45.000000000 +0000
> @@ -18,3 +18,4 @@
>  session     required      pam_limits.so
>  session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
>  session     required      pam_unix.so
> +auth	required	pam_tally.so	onerr=fail	deny=6	unlock_time=300
> 
> But I want the line to appear with all the other auth stuff, eg:
> 
> --- system-auth.augsave	2009-05-20 13:49:53.000000000 +0000
> +++ system-auth.correct	2009-06-05 11:32:55.000000000 +0000
> @@ -5,6 +5,7 @@
>  auth        sufficient    pam_unix.so nullok try_first_pass
>  auth        requisite     pam_succeed_if.so uid >= 500 quiet
>  auth        required      pam_deny.so
> +auth        required      pam_tally.so onerr=fail deny=6 unlock_time=300
> 
>  account     required      pam_unix.so
>  account     sufficient    pam_succeed_if.so uid < 500 quiet
> 
> How can I insert a line into the middle of a file, and how can I find
> where in the file it should be inserted?

You need to explicitly insert a node using 'ins' (aug_insert in the C
API) - 'set' creates nodes that don't exist yet as a convenience, but
always puts them at the end.

To insert a new node after the last existing 'auth' line, you'd write

        defvar t /files/etc/pam.d/system-auth   # Just a convenience, works only in 0.5.0
        ins 01 after $t/*[type='auth'][last()]
        set $t/01/type auth
        set $t/01/control required
        ...
        save
        
When the tree contains numbered nodes (like it does
underneath /files/etc/pam.d/system-auth), it is best to use a label that
starts with a '0' for new nodes, since you can be sure that that will
never be produced when the file is read in. Augeas treats these labels
as strings, and their numeric value doesn't matter - the order in which
they get written to the file is the order in which they appear in the
tree, not their numeric order.

David

More information about the augeas-devel mailing list