Re: Editfiles convergence bug

[Martin Andrews]

I am interested in seeing the patch. I don't quite buy your ldap argument. I
certainly don't want all my web servers trying to add a webalizer account
into my LDAP directory.

Martin

----- Original Message -----
From: "Jamie Wilkinson" <jamie@anchor.net.au>
To: <help-cfengine@gnu.org>
Sent: Tuesday, February 18, 2003 10:14 PM
Subject: RE: Editfiles convergence bug


> Quoting "Andrews, Martin" <mandrews@cle.lionbioscience.com>:
>
> > I still vote for something more generic if we go this route, say:
> >
> > tabfile:
> >   /etc/passwd
> >     delim=:
> >     fields="user passwd uid gid comment home shell"
> >     index=user
> >     key=root
> >     set=password:big-secret
> >
> >
> > Then you could also do:
> >
> > tabfile:
> >   /etc/vfstab
> >     delim=tab
> >     fields="dev rdev path type fsck boot options"
> >     index=path
> >     key=/
> >     options=logging
> >
> > The latter is a bit contrived, but I think the idea is clear.
>
> But that's nothing you can't already do with editfiles.  The value an
"account"
> sectino would add is that using the system tools to creat users means that
it
> would get "for free" stuff like NSS, so that you could keep all your users
in
> LDAP, for example, and creating that user would do the right thing (this
assumes
> that the system tools work properly :-)
>
> Ok, here's a simple example:
>
> I have a few dedicated servers for big clients, they want statistics
generated
> for their websites, so we use webalizer.  The default setup on Red Hat is
for
> webalizer to run as root on /var/log/httpd/access_log and spit it out
$somewhere
> (i forget exactly...).  We don't want unnecessary stuff running as root,
so we
> create a webalizer user that has rights to read the logs and spit the
results out.
>
> Now, we don't care much about the webalizer user, only that it isn't root
and it
> has no special privileges, and that it's a system account.  I don't even
care
> what UID it is, really.  So for each machine, I have to run "useradd -r
> webalizer" to create the system user so that later when cfengine fiddles
with
> the webalizer configs, the right things happen.
>
> Currenlty, that's easiest to set up a test in control: to check for the
> existence of the user (getent passwd webalizer) and then a shellcommand to
> create theuser if not found.
>
> Of course, the test and the shell command is going to be different for
each OS
> that this needs to be done on, right?  I'm "lucky" that I only have to
support 2
> flavours of Linux, each with their own ways of handling this -- but isn't
the
> point of cfengine to abstract away all this OS specific tailoring when it
can be
> automated?
>
> That's a pretty simple example.  I can imagine there are instances where
you may
> want more or less control over what settings the user has, down to login
> controls in the shadow password.  group maintenance would also be good.
>
> Okay, enough talk.  I'll put my editor where my mouth is and start writing
a patch.
>
> Jamie
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
>