[augeas-devel] Help matching a PAM config line

Raphaël Pinson raphael.pinson at camptocamp.com
Mon Oct 28 08:24:29 UTC 2013 

Hi Tim,


`ins` only works with a nodeset containing one (and only one) node. While
Jared's idea would work theorically, it results in an error. If you were
coding using the Augeas API, you could catch this error and ignore it, but
since yo'ure using the `augeas` Puppet type, it causes Puppet to fail.

If you want to keep using the `augeas` Puppet type, you will need to use
the `onlyif` statement to achieve your goal.

Otherwise, I would recommend making a PAM type/provider (I think someone
was working on one already, Greg Swift perhaps?), using the augeasproviders
library, as this will allow you to interact with the Augeas library on the
Puppet agent side.


Cheers,

Raphaël



On Mon, Oct 28, 2013 at 12:29 AM, Tim Bishop <tim-lists at bishnet.net> wrote:

> Hi Jared,
>
> Thanks for your help, and for the pointer to the wiki page. That's
> useful reading.
>
> I've given what you suggest a go but it didn't work. I get the following
> error from Puppet:
>
> Debug: Augeas[disableupdates-login](provider=augeas): sending command
> 'ins' with params ["argument", "after", "/files/etc/pam.d/login/*[module =
> 'pam_motd.so' and count(argument[. = 'noupdate']) = 0]/argument[last()]"]
>
> Error:
> /Stage[main]/Motd/Motd::Motd::Disableupdates[login]/Augeas[disableupdates-login]:
> Could not evaluate: Error sending command 'ins' with params ["argument",
> "after", "/files/etc/pam.d/login/*[module = 'pam_motd.so' and
> count(argument[. = 'noupdate']) = 0]/argument[last()]"]/Error sending
> command 'ins' with params ["argument", "after",
> "/files/etc/pam.d/login/*[module = 'pam_motd.so' and count(argument[. =
> 'noupdate']) = 0]/argument[last()]"]
>
> Sadly it's not (to my eye) a particularly helpful error message.
>
> It did give me some ideas though, and I ended up with the code below.
> This works, but it doesn't feel quite right. It only matches one at a
> time, so takes multiple passes to do the job.
>
>     $criterion = "*[module = 'pam_motd.so' and count(argument[. =
> 'noupdate']) = 0][last()]"
>     augeas { "disableupdates-$name":
>       context => "/files/etc/pam.d/$name",
>       changes => [
>         "ins argument after ${criterion}/module",
>         "set ${criterion}/argument 'noupdate'",
>       ],
>       onlyif  => "match *[module = 'pam_motd.so' and count(argument[. =
> 'noupdate']) = 0] size != 0",
>       notify  => Exec['pam-auth-update'],
>     }
>
> So it specifically looks for the last one with noupdate and adds
> noupdate. If there's more than one it'll find them next time.
>
> Any thoughts?
>
> Thanks,
> Tim.
>
> On Fri, Oct 25, 2013 at 11:22:04AM -0500, Jennings, Jared L CTR USAF AFMC
> 96 SK/CCI wrote:
> > According to
> > https://github.com/hercules-team/augeas/wiki/Path-expressions (Tips &
> > Tricks section), """
> >   /files/etc/fstab/*[count(opt[. = "noexec"]) = 0]
> > finds all entries in /etc/fstab that do not have a noexec option."""
> >
> > This seems to be parallel to your case. So:
> > # match all pam_motd lines lacking a noupdate argument
> > $criterion = "*[module = 'pam_motd.so' and count(argument[. =
> > 'noupdate']) = 0]"
> > augeas { "disableupdates-$name":
> >   context => "/files/etc/pam.d/$name",
> >   changes => [
> >     "ins argument after ${criterion}/argument[last()]",
> >     # now the last argument is the one just inserted
> >     "set ${criterion}/argument[last()] noupdate",
> >   ],
> >   notify => Exec['pam-auth-update'],
> > }
> >
> > To arrive at this without reconfiguring my system, I wrote /tmp/pambla
> > with these lines:
> > session optional pam_motd.so motd=/run/motd.dynamic noupdate
> > session optional pam_motd.so flarble # [1]
> > session optional pam_motd.so zort # [2]
> >
> > (I wanted to be sure of what would happen if there happened to be other
> > arguments on a pam_motd line, but no noupdate; and of what would happen
> > if there were multiple pam_motd lines lacking a noupdate argument. These
> > two cases may not happen in the real world, but I've screwed up a lot of
> > config files before by not thinking about enough possibilities.)
> >
> > Then I ran augtool and
> > set /augeas/load/Pam/incl[last()+1] /tmp/pambla
> > load
> > print /files/tmp/pambla
> >
> > (Playing about with the lens includes like this may be obvious to
> > everybody else, but I discovered it just now.)
> >
> > If there were other arguments on the line lacking noupdate, set
> > *[...]/argument noupdate, as below, could set all of those arguments to
> > noupdate, which is likely not desirable; the above code would merely
> > insert another argument. In the case of multiple lines matching the
> > criterion, it seems with the above code the last matching line will get
> > a noupdate argument, and next time that line, having a noupdate, will
> > not match the criterion, so another line will be fixed. So this wouldn't
> > fix everything in one pass in that case.
> >
> > I tried just set *[...]/argument[last()+1] noupdate, but this put an
> > argument after a #comment in the tree, and then it would not save
> > properly. So the ins followed by set appeared necessary.
> >
> > -----Original Message-----
> > From: augeas-devel-bounces at redhat.com
> > [mailto:augeas-devel-bounces at redhat.com] On Behalf Of Tim Bishop
> > Sent: Wednesday, October 23, 2013 4:39 PM
> > To: augeas-devel at redhat.com
> > Subject: [augeas-devel] Help matching a PAM config line
> >
> > Hi,
> >
> > I'd like to ask for some Augeas help. I'm trying to match a specific PAM
> > config line so I can append something to it. The relevant lines are:
> >
> > session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
> > session    optional     pam_motd.so # [1]
> >
> > What I want to do is add "noupdate" to second line.
> >
> > I've done something similar previously using Puppet with this block:
> >
> >   augeas { "disableupdates-$name":
> >     context => "/files/etc/pam.d/$name",
> >     changes => [
> >       "ins argument after *[module = 'pam_motd.so']/module",
> >       "set *[module = 'pam_motd.so']/argument 'noupdate'",
> >     ],
> >     onlyif  => "match *[module = 'pam_motd.so' and argument='noupdate']
> > size == 0",
> >     notify  => Exec['pam-auth-update'],
> >   }
> >
> > But at the time the PAM config only contained this line:
> >
> > session    optional     pam_motd.so # [1]
> >
> > This no longer works because my onlyif statement matches on the new line
> > before it.
> >
> > So I'd like some help to modify the above code to only match and modify
> > the second line. Or maybe there's another way that I've not thought of?
> >
> > Thank you in advance,
> >
> > Tim.
> >
> > --
> > Tim Bishop
> > http://www.bishnet.net/tim/
> > PGP Key: 0x6C226B37FDF38D55
> >
> > _______________________________________________
> > augeas-devel mailing list
> > augeas-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/augeas-devel
> >
> > _______________________________________________
> > augeas-devel mailing list
> > augeas-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/augeas-devel
>
>
> Tim.
>
> --
> Tim Bishop
> http://www.bishnet.net/tim/
> PGP Key: 0x6C226B37FDF38D55
>
> _______________________________________________
> augeas-devel mailing list
> augeas-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/augeas-devel
>



-- 
Raphaël Pinson
Infrastructure Developer & Trainer
+33 479 26 57 93
+33 781 90 00 79

Camptocamp France
Savoie Technolac
BP 352
48, avenue du Lac du Bourget
73372 Le Bourget du Lac, Cedex
www.camptocamp.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/augeas-devel/attachments/20131028/565d29c9/attachment.htm>

More information about the augeas-devel mailing list