Project

General

Profile

Actions

Bug #2552

closed

(ex PT/ Technique) User Management: If a user is defined to be checked and with password defined too, the password of this user will be redefined

Added by Nicolas PERRON about 10 years ago. Updated over 7 years ago.

Status:
Released
Priority:
1
Assignee:
-
Category:
Techniques
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:

Description

A user with this properties:
  • Login name for this account: userQA1
  • Password for this account (optional): somePassword
  • Policy to apply on this account: Check only (account should exist) or Check only (account should not exist)

will redefine its password (only if he exist):

[root@centos-6-64 ~]# grep 'userQA1' /etc/passwd
userQA1:x:6001:6001::/home/userQA1:/bin/bash
[root@centos-6-64 ~]# /var/rudder/cfengine-community/bin/cf-agent -KI -b check_usergroup_user_parameters
 !! Duplicate selection of value for variable "execRun" in scope g
 !! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
 !! Duplicate selection of value for variable "execRun" in scope g
 !! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
 >> Using command line specified bundlesequence
 -> Executing '/bin/echo -e "somePassword\nsomePassword" | /usr/bin/passwd userQA1' ...(timeout=-678,owner=-1,group=-1)
Q: ".../bin/echo -e "s": New password: Retype new password: Changing password for user userQA1.
Q: ".../bin/echo -e "s": passwd: all authentication tokens updated successfully.
I: Last 2 quoted lines were generated by promiser "/bin/echo -e "somePassword\nsomePassword" | /usr/bin/passwd userQA1" 
 -> Completed execution of /bin/echo -e "somePassword\nsomePassword" | /usr/bin/passwd userQA1
R: @@userGroupManagement@@result_success@@50d28030-4e21-4c47-8b9b-fe0c4b39e405@@b887d02f-12ea-4dc9-96d5-563fc4b5bfbc@@28@@Users@@userQA1@@2012-06-07 17:53:05+02:00##06da3556-5204-4bd7-b3b0-fa5e7bcfbbea@#The user userQA1 ( Without any defined full name ) is present on the system, which is in conformance with the presence policy
[root@centos-6-64 ~]# 

the same with a user which doesn't exist: userQA2

[root@centos-6-64 ~]# grep 'userQA2' /etc/passwd
[root@centos-6-64 ~]# /var/rudder/cfengine-community/bin/cf-agent -KI -b check_usergroup_user_parameters
 !! Duplicate selection of value for variable "execRun" in scope g
 !! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
 !! Duplicate selection of value for variable "execRun" in scope g
 !! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
 >> Using command line specified bundlesequence
R: @@userGroupManagement@@log_warn@@50d28030-4e21-4c47-8b9b-fe0c4b39e405@@b887d02f-12ea-4dc9-96d5-563fc4b5bfbc@@29@@Users@@userQA2@@2012-06-07 17:54:41+02:00##06da3556-5204-4bd7-b3b0-fa5e7bcfbbea@#The user userQA2 ( Without any defined full name ) is not present on the system, which violates the presence policy
[root@centos-6-64 ~]#

Actions #1

Updated by Nicolas PERRON almost 10 years ago

  • Status changed from New to Pending technical review
  • % Done changed from 0 to 100

Applied in changeset commit:bc53667495e66c049c6d4ea099599cd486a54c2a.

Actions #2

Updated by Nicolas CHARLES almost 10 years ago

  • Status changed from Pending technical review to Discussion
  • % Done changed from 100 to 90

I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash

Jon, do you have any advices on this one ?

Actions #3

Updated by Jonathan CLARKE almost 10 years ago

  • Target version changed from 2.3.8 to 2.3.9
Actions #4

Updated by Nicolas PERRON almost 10 years ago

Nicolas CHARLES wrote:

I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash

Jon, do you have any advices on this one ?

What should we do ? I'm not sure that changing the whole behaviour of this PT/Technique is the purpose of this issue. May be another ticket would be better if you think that a change should be made. It will permit us to close this issue. Do you agree ?

Actions #5

Updated by Jonathan CLARKE almost 10 years ago

Nicolas PERRON wrote:

Nicolas CHARLES wrote:

I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash

Jon, do you have any advices on this one ?

What should we do ? I'm not sure that changing the whole behaviour of this PT/Technique is the purpose of this issue. May be another ticket would be better if you think that a change should be made. It will permit us to close this issue. Do you agree ?

Agreed. This ticket should be closed.

However, the behaviour described by Nicolas Charles above is what should be implemented - anything else is a bug. Please open a new ticket for this bug.

Actions #6

Updated by Nicolas PERRON almost 10 years ago

Jonathan CLARKE wrote:

Nicolas PERRON wrote:

Nicolas CHARLES wrote:

I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash

Jon, do you have any advices on this one ?

What should we do ? I'm not sure that changing the whole behaviour of this PT/Technique is the purpose of this issue. May be another ticket would be better if you think that a change should be made. It will permit us to close this issue. Do you agree ?

Agreed. This ticket should be closed.

However, the behaviour described by Nicolas Charles above is what should be implemented - anything else is a bug. Please open a new ticket for this bug.

A new issue has been opened here: #2889. I suppose we can close this one ?

Actions #7

Updated by Nicolas PERRON over 9 years ago

  • Assignee changed from Nicolas PERRON to Jonathan CLARKE
Actions #8

Updated by Nicolas CHARLES over 9 years ago

  • Status changed from Discussion to Pending technical review
  • % Done changed from 90 to 100

Ok, i'm closing this ticket then

Actions #9

Updated by Nicolas CHARLES over 9 years ago

  • Status changed from Pending technical review to Released
Actions #10

Updated by Nicolas PERRON over 9 years ago

  • Target version changed from 2.3.9 to 2.3.10

This ticket has been implemented in 2.3.10

Actions #11

Updated by Jonathan CLARKE over 9 years ago

  • Status changed from Released to Pending release
Actions #12

Updated by Jonathan CLARKE over 9 years ago

  • Assignee deleted (Jonathan CLARKE)
Actions #13

Updated by Jonathan CLARKE over 9 years ago

  • Project changed from Rudder to 24
  • Category deleted (Techniques)
Actions #14

Updated by Nicolas PERRON over 9 years ago

  • Status changed from Pending release to Released
Actions #15

Updated by Benoît PECCATTE over 7 years ago

  • Project changed from 24 to Rudder
  • Category set to Techniques
Actions

Also available in: Atom PDF