Bug #2552
closed
(ex PT/ Technique) User Management: If a user is defined to be checked and with password defined too, the password of this user will be redefined
Added by Nicolas PERRON over 12 years ago.
Updated over 9 years ago.
Description
A user with this properties:
- Login name for this account: userQA1
- Password for this account (optional): somePassword
- Policy to apply on this account: Check only (account should exist) or Check only (account should not exist)
will redefine its password (only if he exist):
[root@centos-6-64 ~]# grep 'userQA1' /etc/passwd
userQA1:x:6001:6001::/home/userQA1:/bin/bash
[root@centos-6-64 ~]# /var/rudder/cfengine-community/bin/cf-agent -KI -b check_usergroup_user_parameters
!! Duplicate selection of value for variable "execRun" in scope g
!! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
!! Duplicate selection of value for variable "execRun" in scope g
!! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
>> Using command line specified bundlesequence
-> Executing '/bin/echo -e "somePassword\nsomePassword" | /usr/bin/passwd userQA1' ...(timeout=-678,owner=-1,group=-1)
Q: ".../bin/echo -e "s": New password: Retype new password: Changing password for user userQA1.
Q: ".../bin/echo -e "s": passwd: all authentication tokens updated successfully.
I: Last 2 quoted lines were generated by promiser "/bin/echo -e "somePassword\nsomePassword" | /usr/bin/passwd userQA1"
-> Completed execution of /bin/echo -e "somePassword\nsomePassword" | /usr/bin/passwd userQA1
R: @@userGroupManagement@@result_success@@50d28030-4e21-4c47-8b9b-fe0c4b39e405@@b887d02f-12ea-4dc9-96d5-563fc4b5bfbc@@28@@Users@@userQA1@@2012-06-07 17:53:05+02:00##06da3556-5204-4bd7-b3b0-fa5e7bcfbbea@#The user userQA1 ( Without any defined full name ) is present on the system, which is in conformance with the presence policy
[root@centos-6-64 ~]#
the same with a user which doesn't exist: userQA2
[root@centos-6-64 ~]# grep 'userQA2' /etc/passwd
[root@centos-6-64 ~]# /var/rudder/cfengine-community/bin/cf-agent -KI -b check_usergroup_user_parameters
!! Duplicate selection of value for variable "execRun" in scope g
!! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
!! Duplicate selection of value for variable "execRun" in scope g
!! Rule from /var/rudder/cfengine-community/inputs/common/1.0/site.cf at/before line 58
>> Using command line specified bundlesequence
R: @@userGroupManagement@@log_warn@@50d28030-4e21-4c47-8b9b-fe0c4b39e405@@b887d02f-12ea-4dc9-96d5-563fc4b5bfbc@@29@@Users@@userQA2@@2012-06-07 17:54:41+02:00##06da3556-5204-4bd7-b3b0-fa5e7bcfbbea@#The user userQA2 ( Without any defined full name ) is not present on the system, which violates the presence policy
[root@centos-6-64 ~]#
- Status changed from New to Pending technical review
- % Done changed from 0 to 100
Applied in changeset commit:bc53667495e66c049c6d4ea099599cd486a54c2a.
- Status changed from Pending technical review to Discussion
- % Done changed from 100 to 90
I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash
Jon, do you have any advices on this one ?
- Target version changed from 2.3.8 to 2.3.9
Nicolas CHARLES wrote:
I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash
Jon, do you have any advices on this one ?
What should we do ? I'm not sure that changing the whole behaviour of this PT/Technique is the purpose of this issue. May be another ticket would be better if you think that a change should be made. It will permit us to close this issue. Do you agree ?
Nicolas PERRON wrote:
Nicolas CHARLES wrote:
I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash
Jon, do you have any advices on this one ?
What should we do ? I'm not sure that changing the whole behaviour of this PT/Technique is the purpose of this issue. May be another ticket would be better if you think that a change should be made. It will permit us to close this issue. Do you agree ?
Agreed. This ticket should be closed.
However, the behaviour described by Nicolas Charles above is what should be implemented - anything else is a bug. Please open a new ticket for this bug.
Jonathan CLARKE wrote:
Nicolas PERRON wrote:
Nicolas CHARLES wrote:
I'm not 100% sure about this.
The form of the directive seems to imply that "checking the account" and "checking the password" are independant (or nearly). I really would expect that if I select to check the password eveerytime, it is indeed checked everytime, and not only if I create/update the user fullname or bash
Jon, do you have any advices on this one ?
What should we do ? I'm not sure that changing the whole behaviour of this PT/Technique is the purpose of this issue. May be another ticket would be better if you think that a change should be made. It will permit us to close this issue. Do you agree ?
Agreed. This ticket should be closed.
However, the behaviour described by Nicolas Charles above is what should be implemented - anything else is a bug. Please open a new ticket for this bug.
A new issue has been opened here: #2889. I suppose we can close this one ?
- Assignee changed from Nicolas PERRON to Jonathan CLARKE
- Status changed from Discussion to Pending technical review
- % Done changed from 90 to 100
Ok, i'm closing this ticket then
- Status changed from Pending technical review to Released
- Target version changed from 2.3.9 to 2.3.10
This ticket has been implemented in 2.3.10
- Status changed from Released to Pending release
- Assignee deleted (
Jonathan CLARKE)
- Project changed from Rudder to 24
- Category deleted (
Techniques)
- Status changed from Pending release to Released
- Project changed from 24 to Rudder
- Category set to Techniques
Also available in: Atom
PDF
Updated by Nicolas PERRON 
Updated by 
Updated by Jonathan CLARKE 
Updated by