From 1138f154f9cb0985076159dec34546eb9f677017 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 26 Feb 2011 00:01:16 +0100 Subject: Chmod /var/run/utmp 640 instead of removing it. Quoting utmp(5): "Unlike various other systems, where utmp logging can be disabled by removing the file, utmp must always exist on Linux." Moreover, removing this file breaks some of Puppet's functionality. --- README | 14 ++++++++++---- manifests/debian.pp | 6 +++--- manifests/init.pp | 2 +- manifests/utmp/disable.pp | 6 ------ manifests/utmp/enable.pp | 8 -------- manifests/utmp/protect.pp | 5 +++++ manifests/utmp/unprotect.pp | 8 ++++++++ 7 files changed, 27 insertions(+), 22 deletions(-) delete mode 100644 manifests/utmp/disable.pp delete mode 100644 manifests/utmp/enable.pp create mode 100644 manifests/utmp/protect.pp create mode 100644 manifests/utmp/unprotect.pp diff --git a/README b/README index 777aae7..32b8678 100644 --- a/README +++ b/README @@ -20,15 +20,21 @@ You can set the following parameters for the loginrecords class. If you just include the class loginrecords this will disable all loginlogs. -$disable_btmp, $disable_utmp, $disable_wtmp -------------------------------------------- +$disable_btmp, $disable_wtmp +---------------------------- -Default: /var/log/btmp, /var/run/utmp and /var/log/wtmp are ensured to -be absent. +Default: /var/log/btmp and /var/log/wtmp are ensured to be absent. These variables, when set to a false, non-empty value, have these files created and their logging enabled again. +$protect_utmp +------------- + +Default: /var/run/utmp is ensured to be present, but chmod'ed 660. +When set to a false, non-empty value, /var/run/utmp is ensured to be +present, and chmod'ed 664. + $disable_faillog ---------------- diff --git a/manifests/debian.pp b/manifests/debian.pp index 12ec571..02c2dad 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -18,10 +18,10 @@ class loginrecords::debian inherits loginrecords::base { class{'loginrecords::lastlog::enable': } } - if $loginrecords::disable_utmp { - class{'loginrecords::utmp::disable': } + if $loginrecords::protect_utmp { + class{'loginrecords::utmp::protect': } } else { - class{'loginrecords::utmp::enable': } + class{'loginrecords::utmp::unprotect': } } if $loginrecords::disable_wtmp { diff --git a/manifests/init.pp b/manifests/init.pp index 9c0a880..446819b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,7 +2,7 @@ class loginrecords( $disable_btmp = true, $disable_faillog = true, $disable_lastlog = true, - $disable_utmp = true, + $protect_utmp = true, $disable_wtmp = true ){ # Include main class diff --git a/manifests/utmp/disable.pp b/manifests/utmp/disable.pp deleted file mode 100644 index d01d44b..0000000 --- a/manifests/utmp/disable.pp +++ /dev/null @@ -1,6 +0,0 @@ -class loginrecords::utmp::disable inherits loginrecords::utmp::enable { - File[$utmp_file]{ - ensure => 'absent', - backup => false, - } -} diff --git a/manifests/utmp/enable.pp b/manifests/utmp/enable.pp deleted file mode 100644 index 1003182..0000000 --- a/manifests/utmp/enable.pp +++ /dev/null @@ -1,8 +0,0 @@ -class loginrecords::utmp::enable( - $utmp_file = '/var/run/utmp' -){ - file{$utmp_file: - ensure => 'present', - owner => 'root', group => 'utmp', mode => 660; - } -} diff --git a/manifests/utmp/protect.pp b/manifests/utmp/protect.pp new file mode 100644 index 0000000..166df5e --- /dev/null +++ b/manifests/utmp/protect.pp @@ -0,0 +1,5 @@ +class loginrecords::utmp::protect inherits loginrecords::utmp::unprotect { + File[$utmp_file]{ + mode => 660, + } +} diff --git a/manifests/utmp/unprotect.pp b/manifests/utmp/unprotect.pp new file mode 100644 index 0000000..9da7517 --- /dev/null +++ b/manifests/utmp/unprotect.pp @@ -0,0 +1,8 @@ +class loginrecords::utmp::unprotect( + $utmp_file = '/var/run/utmp' +){ + file{$utmp_file: + ensure => 'present', + owner => 'root', group => 'utmp', mode => 664; + } +} -- cgit v1.2.3