The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #7500

Don't let pw provider use -p

Added by Douglas Rand over 3 years ago. Updated over 2 years ago.

Status:ClosedStart date:05/12/2011
Priority:NormalDue date:
Assignee:Douglas Rand% Done:

0%

Category:FreeBSD
Target version:2.7.10
Affected Puppet version:2.6.7 Branch:
Keywords:freebsd pw password

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

The -p option to pw is documented as:

-p date       Set the account's password expiration date.  This field is
              similar to the account expiration date option, except that
              it applies to forced password changes.  This is set in the
              same manner as the -e option.

But provider/user/pw.rb takes the first character of each property as the option to pw (through provider/nameservice/objectadd.rb I think).

The problem is that that sets the password as expiring now().

Here is a patch to ignore the password property, which is already handled via cryptpw in pw.rb:

--- pw.rb-orig  2011-05-12 16:47:24.000000000 -0500
+++ pw.rb       2011-05-12 16:47:16.000000000 -0500
@@ -24,7 +24,7 @@
   def addcmd
     cmd = [command(:pw), "useradd", @resource[:name]]
     @resource.class.validproperties.each do |property|
-      next if property == :ensure
+      next if property == :ensure or property == :password
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
       if value = @resource.should(property) and value != ""

patch Magnifier (486 Bytes) Douglas Rand, 05/12/2011 02:51 pm


Related issues

Related to Puppet - Feature #11046: Improve user and group pw providers on FreeBSD Closed 11/12/2011

History

#1 Updated by Douglas Rand over 3 years ago

Sorry for the borked formatting. Attached is the patch.

Can you tell its my first redmine ticket?

#2 Updated by Ben Hughes over 3 years ago

  • Status changed from Unreviewed to Investigating
  • Assignee set to Ben Hughes

Hi, thanks for the patch.

I’ve been trying to work out how to test/recreate this, as I can’t reproduce the symptoms. I don’t see how -p is getting in there.

Could you give me an example manifest that triggers this and what the actual and expected behaviour is please and I’ll look in to it more.

Thanks.

#3 Updated by Chris van der Wel about 3 years ago

Actually there are two issues, not only the password expiry date is set to the past, but also the password is not set. The patch above fixes the first issue with the expiry date, but the password is still not set when a new user is created. When I run puppet agent again, the password is correctly updated.

I used the following manifest:

user{'testuser':
    uid => 9999,
    gid => 'testgroup',
    password => 'encryptedpasswordstring',
}

The command which is executed is:

debug: User[testuser](provider=pw): Executing '/usr/sbin/pw useradd testuser -p encryptedpasswordstring -u 9999 -g testgroup'

Then this user entry is created:

testuser:*:9999:9999::1317333600:0:User &:/home/testuser:/bin/sh

But it should be:

testuser:encryptedpasswordstring:9999:9999::0:0:User &:/home/testuser:/bin/sh

So the pw command should be executed without the -p parameter but with the -H parameter like when a password is updated.

#4 Updated by Adrien Thebo about 3 years ago

  • Assignee changed from Ben Hughes to Adrien Thebo

#5 Updated by Tim Bishop almost 3 years ago

Hi,

The reason for the confusion is that the submitter is probably using the FreeBSD port. This includes a patch which enables manage_passwords but in a slightly broken way. This is what makes the -p flag come through in addcmd.

I’ve worked up a patch which uses the submitters fix along with the patch in the FreeBSD port, and adds a final fix to get it all working. It’s on github here:

https://github.com/puppetlabs/puppet/pull/210

Tim.

#6 Updated by Adrien Thebo almost 3 years ago

  • Status changed from Investigating to In Topic Branch Pending Review
  • Assignee changed from Adrien Thebo to Tim Bishop

That makes a lot of sense, thanks for tracking that down!

#7 Updated by Patrick Carlisle almost 3 years ago

  • Assignee changed from Tim Bishop to Douglas Rand

Douglas, even though it’s a small patch, can you please sign the Contributor License Agreement?

#8 Updated by Douglas Rand almost 3 years ago

On 2012-01-04 1:30 PM, tickets@puppetlabs.com wrote:

Issue #7500 has been updated by Patrick Carlisle.

  • Assignee changed from Tim Bishop to Douglas Rand

Douglas, even though it’s a small patch, can you please sign the Contributor License Agreement https://projects.puppetlabs.com/contributor_licenses/sign?

Signed.

#9 Updated by Patrick Carlisle almost 3 years ago

  • Status changed from In Topic Branch Pending Review to Merged - Pending Release
  • Target version set to 2.7.10

Merged in https://github.com/puppetlabs/puppet/commit/75d7cad19be95760bc08e2ce4a67208aec5c6af7

#10 Updated by Tim Bishop over 2 years ago

This has been released so the issue can be closed.

#11 Updated by Patrick Carlisle over 2 years ago

  • Status changed from Merged - Pending Release to Closed

Released in 2.7.10.

Also available in: Atom PDF