Rush has uploaded a new change for review.
https://gerrit.wikimedia.org/r/195656
Change subject: admin module enable user cleanup
......................................................................
admin module enable user cleanup
Change-Id: Id1f558cf1674b4204473a2dc7da212fab4f2c467
---
M modules/admin/files/enforce-users-groups.sh
M modules/admin/manifests/init.pp
2 files changed, 23 insertions(+), 19 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/56/195656/1
diff --git a/modules/admin/files/enforce-users-groups.sh
b/modules/admin/files/enforce-users-groups.sh
index 154fa3a..5228415 100644
--- a/modules/admin/files/enforce-users-groups.sh
+++ b/modules/admin/files/enforce-users-groups.sh
@@ -1,7 +1,5 @@
#!/bin/bash
-#TOOL EDITED FOR AUDITING. NO INVASIVE ACTION.
-
# This is a user garbage collection script that removes
# users who do not have a supplementary group that also have
# a UID above the ID_BOUNDARY. Removals are logged to syslog.
@@ -41,23 +39,18 @@
return 1
}
+# This is an intentional hard stop
+# as before T84032 this could do some
+# serious damage to a labstore host.
+if [[ `hostname -s` =~ ^labstore ]]; then
+ exit 1
+fi
+
if [ ! -d $ARCHIVE_DIR ]
then
log "creating new user files archive ${ARCHIVE_DIR}"
mkdir -p $ARCHIVE_DIR
fi
-
-#TMP
-if [ "${1}" == "dryrun" ]
- then
- if [[ -e '/var/log/admincleanup' ]]
- then
- exit 0
- fi
-fi
-
-#TEMP
-/bin/cat /dev/null > /var/log/admincleanup
IFS=$'\r\n' PASSWD_USERS=($(/usr/bin/getent passwd))
for var in "${PASSWD_USERS[@]}"
@@ -72,12 +65,14 @@
if [[ "$uid" -gt "$ID_BOUNDRY" ]]; then
if [[ `/usr/bin/id $username` != *","* ]]; then
- #TEMP
- echo $var >> /var/log/admincleanup
+ if [ "${1}" == "dryrun" ]
+ then
+ exit 1
+ fi
- #NOT TO BE PUT IN SERVICE
- #log "${0} removing user/id: ${username}/${uid}"
- #/usr/sbin/deluser --remove-home --backup-to=$ARCHIVE_DIR $username &>
/dev/null
+ log "${0} removing user/id: ${username}/${uid}"
+ mv /etc/sudoers.d/$username /home/$username &> /dev/null
+ /usr/sbin/deluser --remove-home --backup-to=$ARCHIVE_DIR $username &>
/dev/null
fi
fi
diff --git a/modules/admin/manifests/init.pp b/modules/admin/manifests/init.pp
index 1b3db64..d38abab 100644
--- a/modules/admin/manifests/init.pp
+++ b/modules/admin/manifests/init.pp
@@ -45,5 +45,14 @@
admin::groupmembers { $all_groups:
phash => $data,
+ before => Exec['enforce-users-groups-cleanup'],
+ }
+
+ # Declarative gotcha: non-defined users can get left behind
+ # Here we cleanup anyone not in a supplementary group above a certain UID
+ exec { 'enforce-users-groups-cleanup':
+ command => '/usr/local/sbin/enforce-users-groups',
+ unless => '/usr/local/sbin/enforce-users-groups dryrun',
+ logoutput => true,
}
}
--
To view, visit https://gerrit.wikimedia.org/r/195656
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Id1f558cf1674b4204473a2dc7da212fab4f2c467
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
