RE: Ways to manage passwd/shadow files?

help-cfengine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ways to manage passwd/shadow files?

From:	Atom Powers
Subject:	RE: Ways to manage passwd/shadow files?
Date:	Thu, 10 Mar 2005 12:17:44 -0800

>What's the best way to use cfengine to manage /etc/passwd and /etc/shadow?
Ditto.

I think hash comments *are* allowed in the passwd file, at least in FreeBSD
they are. But there are other issues as well.
- passwd and shadow (or master.passwd) need to be exactly the same except
that the shadow file has the password hash.
- The shadow file can not be built from the passwd file, but the passwd file
could be built from the shadow file.
- But keeping a shadow file available to cfengine could compromise the
security of the file; the source file or the temporary file made during the
copy.
- I don't know that cfengine has the ability to modify the password files
safely. Modifying either password file without using vipw or the like
probably won't update both the passwd and shadow files, which is absolutely
required.

So, if it is possible to ensure the security of the shadow file while
cfengine is running, it should be possible to push out a shadow file and then
run vipw or the link to create the passwd file. How can we guarantee the
security of the shadow file?

----
Perfection is just a word I use occasionally with mustard.

Atom Powers
Systems Administrator
Pyramid Breweries Inc.
206.682.8322 x251
-----Original Message-----
From: help-cfengine-bounces+apowers=pyramidbrew.com@gnu.org
[mailto:help-cfengine-bounces+apowers=pyramidbrew.com@gnu.org] On Behalf Of
Spam Collector
Sent: Thursday, March 10, 2005 11:44 AM
To: help-cfengine@gnu.org
Subject: Ways to manage passwd/shadow files?

What's the best way to use cfengine to manage /etc/passwd and /etc/shadow?
Managing the entire file as a copy would be easy enough, but how can you just
manage a chunk of it?  Using edifiles to control a block would have the
desired result, except that AFAIK you can't have comment lines in those files
(the ### BEGIN and ### END lines I use to manage blocks in other config
files).  Also, I wouldn't want my shadow passwords to be copied everywhere in
the config.
   I suppose I could use two bogus usernames to define my block and use some
of the *File* editfile commands in conjunction with a copy, but that just
seems like a hack.  Is there a better way to accomplish this?

Frank
_______________________________________________
Help-cfengine mailing list
Help-cfengine@gnu.org
http://lists.gnu.org/mailman/listinfo/help-cfengine

[Prev in Thread]

Current Thread

[Next in Thread]

Ways to manage passwd/shadow files?, Spam Collector, 2005/03/10
- Re: Ways to manage passwd/shadow files?, Brendan Strejcek, 2005/03/10
  - Re: Ways to manage passwd/shadow files?, Mark Burgess, 2005/03/10
- Message not available
  - Re: Ways to manage passwd/shadow files?, Spam Collector, 2005/03/10
    - Re: Ways to manage passwd/shadow files?, Tim Nelson, 2005/03/10
- Re: Ways to manage passwd/shadow files?, Ted Zlatanov, 2005/03/16
- RE: Ways to manage passwd/shadow files?, Atom Powers <=
  - RE: Ways to manage passwd/shadow files?, Tim Nelson, 2005/03/10
- Re: Ways to manage passwd/shadow files?, Spam Collector, 2005/03/10
- RE: Ways to manage passwd/shadow files?, Dan Gilbert, 2005/03/10
- RE: Ways to manage passwd/shadow files?, Atom Powers, 2005/03/10

Prev by Date: Re: Ways to manage passwd/shadow files?
Next by Date: Re: Cfexecd does no updates ... problem with locks?
Previous by thread: Re: Ways to manage passwd/shadow files?
Next by thread: RE: Ways to manage passwd/shadow files?
Index(es):
- Date
- Thread