Chmod /var/run/utmp 640 instead of removing it.

Quoting utmp(5):

  "Unlike various other systems, where utmp logging can be disabled by removing
   the file, utmp must always exist on Linux."

Moreover, removing this file breaks some of Puppet's functionality.

7 files changed, 27 insertions, 22 deletions

diff --git a/README b/README
index 777aae7..32b8678 100644
--- a/README
+++ b/README
@@ -20,15 +20,21 @@ You can set the following parameters for the loginrecords class.
 If you just include the class loginrecords this will disable all
 loginlogs.
 
-$disable_btmp, $disable_utmp, $disable_wtmp
--------------------------------------------
+$disable_btmp, $disable_wtmp
+----------------------------
 
-Default: /var/log/btmp, /var/run/utmp and /var/log/wtmp are ensured to
-be absent.
+Default: /var/log/btmp and /var/log/wtmp are ensured to be absent.
 
 These variables, when set to a false, non-empty value, have these
 files created and their logging enabled again.
 
+$protect_utmp
+-------------
+
+Default: /var/run/utmp is ensured to be present, but chmod'ed 660.
+When set to a false, non-empty value, /var/run/utmp is ensured to be
+present, and chmod'ed 664.
+
 $disable_faillog
 ----------------
 
diff --git a/manifests/debian.pp b/manifests/debian.pp
index 12ec571..02c2dad 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -18,10 +18,10 @@ class loginrecords::debian inherits loginrecords::base {
     class{'loginrecords::lastlog::enable': }
   }
 
-  if $loginrecords::disable_utmp {
-    class{'loginrecords::utmp::disable': }
+  if $loginrecords::protect_utmp {
+    class{'loginrecords::utmp::protect': }
   } else {
-    class{'loginrecords::utmp::enable': }
+    class{'loginrecords::utmp::unprotect': }
   }
 
   if $loginrecords::disable_wtmp {
diff --git a/manifests/init.pp b/manifests/init.pp
index 9c0a880..446819b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -2,7 +2,7 @@ class loginrecords(
     $disable_btmp = true,
     $disable_faillog = true,
     $disable_lastlog = true,
-    $disable_utmp = true,
+    $protect_utmp = true,
     $disable_wtmp = true
 ){
     # Include main class
diff --git a/manifests/utmp/disable.pp b/manifests/utmp/disable.pp
deleted file mode 100644
index d01d44b..0000000
--- a/manifests/utmp/disable.pp
+++ /dev/null
@@ -1,6 +0,0 @@
-class loginrecords::utmp::disable inherits loginrecords::utmp::enable {
-  File[$utmp_file]{
-    ensure => 'absent',
-    backup => false,
-  }
-}
diff --git a/manifests/utmp/enable.pp b/manifests/utmp/enable.pp
deleted file mode 100644
index 1003182..0000000
--- a/manifests/utmp/enable.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-class loginrecords::utmp::enable(
-  $utmp_file = '/var/run/utmp'
-){
-  file{$utmp_file:
-    ensure => 'present',
-    owner => 'root', group => 'utmp', mode => 660;
-  }
-}
diff --git a/manifests/utmp/protect.pp b/manifests/utmp/protect.pp
new file mode 100644
index 0000000..166df5e
--- /dev/null
+++ b/manifests/utmp/protect.pp
@@ -0,0 +1,5 @@
+class loginrecords::utmp::protect inherits loginrecords::utmp::unprotect {
+  File[$utmp_file]{
+    mode => 660,
+  }
+}
diff --git a/manifests/utmp/unprotect.pp b/manifests/utmp/unprotect.pp
new file mode 100644
index 0000000..9da7517
--- /dev/null
+++ b/manifests/utmp/unprotect.pp
@@ -0,0 +1,8 @@
+class loginrecords::utmp::unprotect(
+  $utmp_file = '/var/run/utmp'
+){
+  file{$utmp_file:
+    ensure => 'present',
+    owner => 'root', group => 'utmp', mode => 664;
+  }
+}