Ask Your Question
0

manage file permission of multiple files

asked 2016-06-22 12:03:29 -0500

priki gravatar image

updated 2016-07-05 19:26:31 -0500

I'm trying to make sure users' ssh keys are never accessible to others so I thought this would work:

file { "/home/*/.ssh/*":
  path => "/home/*/.ssh/*",
  mode  =>  "600",
}

Apparently, no.

Without using 'exec', what would be the next best way to get this done? Thanks in advance for any insight you could provide!

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
2

answered 2016-06-24 14:09:31 -0500

Nizen gravatar image

updated 2016-07-05 14:05:07 -0500

Doing this on our boxes, I make sure both directory and file are set correctly:

file { '/home/$username/.ssh':
ensure => 'directory',
owner => '$username',
group => '$username',
mode => 0700, }


file { '/home/$username/.ssh/authorized_keys':
ensure => 'file',
owner => '$username',
group => '$username',
mode => 0700,
content => template('users/$username.erb'), }

Aside from that, even if the public keys are readable, it won't do much without the private key. The private key should not be stored on boxes other than the end-user machine. If the directory has the proper permissions, then no file inside should be able to be read by any other user than the owner and root.

After some playing around, I've created a custom fact for puppet to use in creating users on a machine. If you add this to ../$environment/modules/$module/lib/facter, you can use it as a custom fact to pupulate any user lists:

#!/bin/ruby    
usernames = Dir.entries("/home").select {|f| !File.directory? f}
Facter.add('username') do
  confine :kernel => :linux
  setcode { usernames }
end

Then you can split the usernames out of the array in puppet, and it should help you get around all of your problems.

edit flag offensive delete link more

Comments

Wouldn't this still require you to have a set list of users to specify? What if the user list is not uniform across all your servers? As DarylW mentioned below, globbing may not be possible from file resource. Thanks for your recommendation.

priki gravatar imagepriki ( 2016-06-29 11:29:12 -0500 )edit

I have an idea, and I wrote a response, but I need to work out some bugs. I think I have a solution.

Nizen gravatar imageNizen ( 2016-07-01 16:34:47 -0500 )edit

Do you have a standardized naming convention that includes particular users?

Nizen gravatar imageNizen ( 2016-07-01 16:45:27 -0500 )edit

What I'm thinking is adding a custom fact to find usernames on the server by listing users from /home, then creating a user.pp equivalent that uses that custom fact. This could be fun.

Nizen gravatar imageNizen ( 2016-07-01 16:57:57 -0500 )edit

Main comment edited for real estate purposes.

Nizen gravatar imageNizen ( 2016-07-01 17:47:19 -0500 )edit
1

answered 2016-06-22 22:19:14 -0500

lupin gravatar image

updated 2016-06-25 15:25:15 -0500

Edited this to reflect the question which is to set the perm under '/home/*/.ssh'.

You can create a define type or use iteration https://docs.puppet.com/puppet/latest....

e.g

$userlist = [ 'user1', 'user2' ]
 define ssh_perm ( $user = $name) 
  {
    file { "/home/${user}":
      ensure  => 'directory',
      path    => '/home/.ssh',
      mode    => '755',
    } ->
    file { "/home/${user}/ssh":
      ensure  => 'directory',
      path    => '/home/.ssh',
      mode    => '0600',
    } 
 }
Ssh_perm { $user_list: }
edit flag offensive delete link more

Comments

is the problem that what is really wanted is '/home/*/.ssh/' to be mode 600? That's a whole nother problem that is probably only solvable with either a custom fact to detect all of the user's home directories on the system, or an exec

DarylW gravatar imageDarylW ( 2016-06-23 00:18:17 -0500 )edit

Good looking out, thank you

priki gravatar imagepriki ( 2016-06-23 15:03:02 -0500 )edit

The problem is that I don't think you an use the glob operator in a file resource

DarylW gravatar imageDarylW ( 2016-06-23 20:24:21 -0500 )edit
0

answered 2016-06-23 15:01:22 -0500

priki gravatar image

Somehow, the asterisk got parsed out. It should be:

/home/*/.ssh/authorized_keys

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2016-06-22 12:03:29 -0500

Seen: 178 times

Last updated: Jul 05 '16