From f14a6d81d58e3e36fb7fef593086aab6e576dfa1 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sat, 26 Feb 2011 00:19:22 +0100
Subject: New feature: mount a ramdisk on /var/run.

This helps protecting users privacy since /var/run/utmp cannot be deleted.
---
 README                      | 12 ++++++++++++
 manifests/debian.pp         |  6 ++++++
 manifests/init.pp           |  3 ++-
 manifests/ramrun/disable.pp |  7 +++++++
 manifests/ramrun/enable.pp  |  8 ++++++++
 5 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 manifests/ramrun/disable.pp
 create mode 100644 manifests/ramrun/enable.pp

diff --git a/README b/README
index 32b8678..68cf39b 100644
--- a/README
+++ b/README
@@ -47,6 +47,18 @@ $disable_lastlog
 Default: lastlog is disabled.
 When set to a false, non-empty value, lastlog is not changed.
 
+$ramdisk_on_var_run
+-------------------
+
+Default: have the initscripts mount a ramdisk on /var/run.
+When set to a false, non-empty value, the mounting of a ramdisk on
+/var/run is disabled.
+
+Please note that the changes only take effect on reboot. When enabling
+this feature, you probably want to get rid of any file previously
+stored on the files (such as utmp) stored in the non-ramdisk
+underlying /var/run directory.
+
 Copyright
 =========
 
diff --git a/manifests/debian.pp b/manifests/debian.pp
index 02c2dad..e68185b 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -30,4 +30,10 @@ class loginrecords::debian inherits loginrecords::base {
     class{'loginrecords::wtmp::enable': }
   }
 
+  if $loginrecords::ramdisk_on_var_run {
+    class{'loginrecords::ramrun::enable': }
+  } else {
+    class{'loginrecords::ramrun::disable': }
+  }
+
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 446819b..0bc7a22 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -3,7 +3,8 @@ class loginrecords(
     $disable_faillog = true,
     $disable_lastlog = true,
     $protect_utmp = true,
-    $disable_wtmp = true
+    $disable_wtmp = true,
+    $ramdisk_on_var_run = true
 ){
     # Include main class
     case $kernel {
diff --git a/manifests/ramrun/disable.pp b/manifests/ramrun/disable.pp
new file mode 100644
index 0000000..304d234
--- /dev/null
+++ b/manifests/ramrun/disable.pp
@@ -0,0 +1,7 @@
+class loginrecords::ramrun::disable inherits loginrecords::ramrun::enable {
+
+  Augeas { "ramdisk-on-var-run":
+    changes => "set RAMRUN yes",
+  }
+
+}
diff --git a/manifests/ramrun/enable.pp b/manifests/ramrun/enable.pp
new file mode 100644
index 0000000..564ef06
--- /dev/null
+++ b/manifests/ramrun/enable.pp
@@ -0,0 +1,8 @@
+class loginrecords::ramrun::enable {
+
+  augeas { "ramdisk-on-var-run":
+    context => "/files/etc/default/rcS",
+    changes => "set RAMRUN yes",
+  }
+
+}
-- 
cgit v1.2.3