Project

General

Profile

Actions

Bug #2552

closed

(ex PT/ Technique) User Management: If a user is defined to be checked and with password defined too, the password of this user will be redefined

Added by Nicolas PERRON over 12 years ago. Updated almost 10 years ago.

Status:
Released
Priority:
1 (highest)
Assignee:
-
Category:
Techniques
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

A user with this properties:
  • Login name for this account: userQA1
  • Password for this account (optional): somePassword
  • Policy to apply on this account: Check only (account should exist) or Check only (account should not exist)

will redefine its password (only if he exist):

[root@centos-6-64 ~]# grep 'userQA1' /etc/passwd
userQA1:x:6001:6001::/home/userQA1:/bin/bash
[root@centos-6-64 ~]# /var/rudder/cfengine-community/bin/cf-agent -KI -b check_usergroup_user_parameters
 !! Duplicate selection of value for variable "execRun" in scope g
 !! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
 !! Duplicate selection of value for variable "execRun" in scope g
 !! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
 >> Using command line specified bundlesequence
 -> Executing '/bin/echo -e "somePassword\nsomePassword" | /usr/bin/passwd userQA1' ...(timeout=-678,owner=-1,group=-1)
Q: ".../bin/echo -e "s": New password: Retype new password: Changing password for user userQA1.
Q: ".../bin/echo -e "s": passwd: all authentication tokens updated successfully.
I: Last 2 quoted lines were generated by promiser "/bin/echo -e "somePassword\nsomePassword" | /usr/bin/passwd userQA1" 
 -> Completed execution of /bin/echo -e "somePassword\nsomePassword" | /usr/bin/passwd userQA1
R: @@userGroupManagement@@result_success@@50d28030-4e21-4c47-8b9b-fe0c4b39e405@@b887d02f-12ea-4dc9-96d5-563fc4b5bfbc@@28@@Users@@userQA1@@2012-06-07 17:53:05+02:00##06da3556-5204-4bd7-b3b0-fa5e7bcfbbea@#The user userQA1 ( Without any defined full name ) is present on the system, which is in conformance with the presence policy
[root@centos-6-64 ~]# 

the same with a user which doesn't exist: userQA2

[root@centos-6-64 ~]# grep 'userQA2' /etc/passwd
[root@centos-6-64 ~]# /var/rudder/cfengine-community/bin/cf-agent -KI -b check_usergroup_user_parameters
 !! Duplicate selection of value for variable "execRun" in scope g
 !! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
 !! Duplicate selection of value for variable "execRun" in scope g
 !! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
 >> Using command line specified bundlesequence
R: @@userGroupManagement@@log_warn@@50d28030-4e21-4c47-8b9b-fe0c4b39e405@@b887d02f-12ea-4dc9-96d5-563fc4b5bfbc@@29@@Users@@userQA2@@2012-06-07 17:54:41+02:00##06da3556-5204-4bd7-b3b0-fa5e7bcfbbea@#The user userQA2 ( Without any defined full name ) is not present on the system, which violates the presence policy
[root@centos-6-64 ~]#

Actions #1

Updated by Nicolas PERRON over 12 years ago

  • Status changed from New to Pending technical review
  • % Done changed from 0 to 100

Applied in changeset commit:bc53667495e66c049c6d4ea099599cd486a54c2a.

Actions #2

Updated by Nicolas CHARLES over 12 years ago

  • Status changed from Pending technical review to Discussion
  • % Done changed from 100 to 90

I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash

Jon, do you have any advices on this one ?

Actions #3

Updated by Jonathan CLARKE over 12 years ago

  • Target version changed from 2.3.8 to 2.3.9
Actions #4

Updated by Nicolas PERRON over 12 years ago

Nicolas CHARLES wrote:

I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash

Jon, do you have any advices on this one ?

What should we do ? I'm not sure that changing the whole behaviour of this PT/Technique is the purpose of this issue. May be another ticket would be better if you think that a change should be made. It will permit us to close this issue. Do you agree ?

Actions #5

Updated by Jonathan CLARKE over 12 years ago

Nicolas PERRON wrote:

Nicolas CHARLES wrote:

I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash

Jon, do you have any advices on this one ?

What should we do ? I'm not sure that changing the whole behaviour of this PT/Technique is the purpose of this issue. May be another ticket would be better if you think that a change should be made. It will permit us to close this issue. Do you agree ?

Agreed. This ticket should be closed.

However, the behaviour described by Nicolas Charles above is what should be implemented - anything else is a bug. Please open a new ticket for this bug.

Actions #6

Updated by Nicolas PERRON about 12 years ago

Jonathan CLARKE wrote:

Nicolas PERRON wrote:

Nicolas CHARLES wrote:

I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash

Jon, do you have any advices on this one ?

What should we do ? I'm not sure that changing the whole behaviour of this PT/Technique is the purpose of this issue. May be another ticket would be better if you think that a change should be made. It will permit us to close this issue. Do you agree ?

Agreed. This ticket should be closed.

However, the behaviour described by Nicolas Charles above is what should be implemented - anything else is a bug. Please open a new ticket for this bug.

A new issue has been opened here: #2889. I suppose we can close this one ?

Actions #7

Updated by Nicolas PERRON about 12 years ago

  • Assignee changed from Nicolas PERRON to Jonathan CLARKE
Actions #8

Updated by Nicolas CHARLES about 12 years ago

  • Status changed from Discussion to Pending technical review
  • % Done changed from 90 to 100

Ok, i'm closing this ticket then

Actions #9

Updated by Nicolas CHARLES about 12 years ago

  • Status changed from Pending technical review to Released
Actions #10

Updated by Nicolas PERRON about 12 years ago

  • Target version changed from 2.3.9 to 2.3.10

This ticket has been implemented in 2.3.10

Actions #11

Updated by Jonathan CLARKE about 12 years ago

  • Status changed from Released to Pending release
Actions #12

Updated by Jonathan CLARKE about 12 years ago

  • Assignee deleted (Jonathan CLARKE)
Actions #13

Updated by Jonathan CLARKE almost 12 years ago

  • Project changed from Rudder to 24
  • Category deleted (Techniques)
Actions #14

Updated by Nicolas PERRON over 11 years ago

  • Status changed from Pending release to Released
Actions #15

Updated by Benoît PECCATTE almost 10 years ago

  • Project changed from 24 to Rudder
  • Category set to Techniques
Actions

Also available in: Atom PDF