From 1138f154f9cb0985076159dec34546eb9f677017 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sat, 26 Feb 2011 00:01:16 +0100
Subject: Chmod /var/run/utmp 640 instead of removing it.

Quoting utmp(5):

  "Unlike various other systems, where utmp logging can be disabled by removing
   the file, utmp must always exist on Linux."

Moreover, removing this file breaks some of Puppet's functionality.
---
 README                      | 14 ++++++++++----
 manifests/debian.pp         |  6 +++---
 manifests/init.pp           |  2 +-
 manifests/utmp/disable.pp   |  6 ------
 manifests/utmp/enable.pp    |  8 --------
 manifests/utmp/protect.pp   |  5 +++++
 manifests/utmp/unprotect.pp |  8 ++++++++
 7 files changed, 27 insertions(+), 22 deletions(-)
 delete mode 100644 manifests/utmp/disable.pp
 delete mode 100644 manifests/utmp/enable.pp
 create mode 100644 manifests/utmp/protect.pp
 create mode 100644 manifests/utmp/unprotect.pp

diff --git a/README b/README
index 777aae7..32b8678 100644
--- a/README
+++ b/README
@@ -20,15 +20,21 @@ You can set the following parameters for the loginrecords class.
 If you just include the class loginrecords this will disable all
 loginlogs.
 
-$disable_btmp, $disable_utmp, $disable_wtmp
--------------------------------------------
+$disable_btmp, $disable_wtmp
+----------------------------
 
-Default: /var/log/btmp, /var/run/utmp and /var/log/wtmp are ensured to
-be absent.
+Default: /var/log/btmp and /var/log/wtmp are ensured to be absent.
 
 These variables, when set to a false, non-empty value, have these
 files created and their logging enabled again.
 
+$protect_utmp
+-------------
+
+Default: /var/run/utmp is ensured to be present, but chmod'ed 660.
+When set to a false, non-empty value, /var/run/utmp is ensured to be
+present, and chmod'ed 664.
+
 $disable_faillog
 ----------------
 
diff --git a/manifests/debian.pp b/manifests/debian.pp
index 12ec571..02c2dad 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -18,10 +18,10 @@ class loginrecords::debian inherits loginrecords::base {
     class{'loginrecords::lastlog::enable': }
   }
 
-  if $loginrecords::disable_utmp {
-    class{'loginrecords::utmp::disable': }
+  if $loginrecords::protect_utmp {
+    class{'loginrecords::utmp::protect': }
   } else {
-    class{'loginrecords::utmp::enable': }
+    class{'loginrecords::utmp::unprotect': }
   }
 
   if $loginrecords::disable_wtmp {
diff --git a/manifests/init.pp b/manifests/init.pp
index 9c0a880..446819b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -2,7 +2,7 @@ class loginrecords(
     $disable_btmp = true,
     $disable_faillog = true,
     $disable_lastlog = true,
-    $disable_utmp = true,
+    $protect_utmp = true,
     $disable_wtmp = true
 ){
     # Include main class
diff --git a/manifests/utmp/disable.pp b/manifests/utmp/disable.pp
deleted file mode 100644
index d01d44b..0000000
--- a/manifests/utmp/disable.pp
+++ /dev/null
@@ -1,6 +0,0 @@
-class loginrecords::utmp::disable inherits loginrecords::utmp::enable {
-  File[$utmp_file]{
-    ensure => 'absent',
-    backup => false,
-  }
-}
diff --git a/manifests/utmp/enable.pp b/manifests/utmp/enable.pp
deleted file mode 100644
index 1003182..0000000
--- a/manifests/utmp/enable.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-class loginrecords::utmp::enable(
-  $utmp_file = '/var/run/utmp'
-){
-  file{$utmp_file:
-    ensure => 'present',
-    owner => 'root', group => 'utmp', mode => 660;
-  }
-}
diff --git a/manifests/utmp/protect.pp b/manifests/utmp/protect.pp
new file mode 100644
index 0000000..166df5e
--- /dev/null
+++ b/manifests/utmp/protect.pp
@@ -0,0 +1,5 @@
+class loginrecords::utmp::protect inherits loginrecords::utmp::unprotect {
+  File[$utmp_file]{
+    mode => 660,
+  }
+}
diff --git a/manifests/utmp/unprotect.pp b/manifests/utmp/unprotect.pp
new file mode 100644
index 0000000..9da7517
--- /dev/null
+++ b/manifests/utmp/unprotect.pp
@@ -0,0 +1,8 @@
+class loginrecords::utmp::unprotect(
+  $utmp_file = '/var/run/utmp'
+){
+  file{$utmp_file:
+    ensure => 'present',
+    owner => 'root', group => 'utmp', mode => 664;
+  }
+}
-- 
cgit v1.2.3


From f14a6d81d58e3e36fb7fef593086aab6e576dfa1 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sat, 26 Feb 2011 00:19:22 +0100
Subject: New feature: mount a ramdisk on /var/run.

This helps protecting users privacy since /var/run/utmp cannot be deleted.
---
 README                      | 12 ++++++++++++
 manifests/debian.pp         |  6 ++++++
 manifests/init.pp           |  3 ++-
 manifests/ramrun/disable.pp |  7 +++++++
 manifests/ramrun/enable.pp  |  8 ++++++++
 5 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 manifests/ramrun/disable.pp
 create mode 100644 manifests/ramrun/enable.pp

diff --git a/README b/README
index 32b8678..68cf39b 100644
--- a/README
+++ b/README
@@ -47,6 +47,18 @@ $disable_lastlog
 Default: lastlog is disabled.
 When set to a false, non-empty value, lastlog is not changed.
 
+$ramdisk_on_var_run
+-------------------
+
+Default: have the initscripts mount a ramdisk on /var/run.
+When set to a false, non-empty value, the mounting of a ramdisk on
+/var/run is disabled.
+
+Please note that the changes only take effect on reboot. When enabling
+this feature, you probably want to get rid of any file previously
+stored on the files (such as utmp) stored in the non-ramdisk
+underlying /var/run directory.
+
 Copyright
 =========
 
diff --git a/manifests/debian.pp b/manifests/debian.pp
index 02c2dad..e68185b 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -30,4 +30,10 @@ class loginrecords::debian inherits loginrecords::base {
     class{'loginrecords::wtmp::enable': }
   }
 
+  if $loginrecords::ramdisk_on_var_run {
+    class{'loginrecords::ramrun::enable': }
+  } else {
+    class{'loginrecords::ramrun::disable': }
+  }
+
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 446819b..0bc7a22 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -3,7 +3,8 @@ class loginrecords(
     $disable_faillog = true,
     $disable_lastlog = true,
     $protect_utmp = true,
-    $disable_wtmp = true
+    $disable_wtmp = true,
+    $ramdisk_on_var_run = true
 ){
     # Include main class
     case $kernel {
diff --git a/manifests/ramrun/disable.pp b/manifests/ramrun/disable.pp
new file mode 100644
index 0000000..304d234
--- /dev/null
+++ b/manifests/ramrun/disable.pp
@@ -0,0 +1,7 @@
+class loginrecords::ramrun::disable inherits loginrecords::ramrun::enable {
+
+  Augeas { "ramdisk-on-var-run":
+    changes => "set RAMRUN yes",
+  }
+
+}
diff --git a/manifests/ramrun/enable.pp b/manifests/ramrun/enable.pp
new file mode 100644
index 0000000..564ef06
--- /dev/null
+++ b/manifests/ramrun/enable.pp
@@ -0,0 +1,8 @@
+class loginrecords::ramrun::enable {
+
+  augeas { "ramdisk-on-var-run":
+    context => "/files/etc/default/rcS",
+    changes => "set RAMRUN yes",
+  }
+
+}
-- 
cgit v1.2.3