[augeas-devel] adding pam_tally to system-auth
David Lutterkort
lutter at redhat.com
Fri Jun 5 17:37:15 UTC 2009
Hi David,
On Fri, 2009-06-05 at 12:22 +0100, David Robinson wrote:
> I'm trying to use augeas to setup pam_tally, but have run into a few problems.
>
> I'm doing this (there's 14 entries in the file, 15 adds a new one:
>
> set /files/etc/pam.d/system-auth/15/type auth
> set /files/etc/pam.d/system-auth/15/control required
> set /files/etc/pam.d/system-auth/15/module pam_tally.so
> set /files/etc/pam.d/system-auth/15/argument[1] onerr=fail
> set /files/etc/pam.d/system-auth/15/argument[2] deny=6
> set /files/etc/pam.d/system-auth/15/argument[3] unlock_time=300
> save
>
> Which gives:
>
> --- system-auth.augsave 2009-05-20 13:49:53.000000000 +0000
> +++ system-auth 2009-06-05 11:15:45.000000000 +0000
> @@ -18,3 +18,4 @@
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> +auth required pam_tally.so onerr=fail deny=6 unlock_time=300
>
> But I want the line to appear with all the other auth stuff, eg:
>
> --- system-auth.augsave 2009-05-20 13:49:53.000000000 +0000
> +++ system-auth.correct 2009-06-05 11:32:55.000000000 +0000
> @@ -5,6 +5,7 @@
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth required pam_deny.so
> +auth required pam_tally.so onerr=fail deny=6 unlock_time=300
>
> account required pam_unix.so
> account sufficient pam_succeed_if.so uid < 500 quiet
>
> How can I insert a line into the middle of a file, and how can I find
> where in the file it should be inserted?
You need to explicitly insert a node using 'ins' (aug_insert in the C
API) - 'set' creates nodes that don't exist yet as a convenience, but
always puts them at the end.
To insert a new node after the last existing 'auth' line, you'd write
defvar t /files/etc/pam.d/system-auth # Just a convenience, works only in 0.5.0
ins 01 after $t/*[type='auth'][last()]
set $t/01/type auth
set $t/01/control required
...
save
When the tree contains numbered nodes (like it does
underneath /files/etc/pam.d/system-auth), it is best to use a label that
starts with a '0' for new nodes, since you can be sure that that will
never be produced when the file is read in. Augeas treats these labels
as strings, and their numeric value doesn't matter - the order in which
they get written to the file is the order in which they appear in the
tree, not their numeric order.
David
More information about the augeas-devel
mailing list