On May 26, 11:38 pm, Luke Kanies <[email protected]> wrote:
> On May 22, 2009, at 10:26 PM, Kelsey Hightower wrote:
>
>
>
>
>
>
>
> > Puppet::Type.newtype(:tcpwrapper) do
> > �...@doc = "Manages tcpwarppers hosts.allow and hosts.deny entries.
> > The entry will be placed in /etc/host.allow when 'allow => true'
> > or 'deny => false'
> > The entry will be placed in /etc/host.deny when 'deny => true' or
> > 'allow => false'
> > Default action is to append the entry to /etc/host.allow
>
> > Examples::
>
> > tcpwrapper { ALL:
> > allow => true,
> > daemon => \"ALL\",
> > except_daemon => [vsftpd, sshd]
> > host => \"ALL\"
> > except_host => [cracker.domainname.com, 24.123.45.12],
> > }
>
> > tcpwrapper { vsftpd:
> > allow => true,
> > daemon => sshd,
> > host => [192.168.1.22, 72.13.2.34, trusted.domain.com],
> > spawn => '/bin/echo $(/bin/date) access from %h >> /var/
> > log/ftp-access.log'
> > }
>
> > tcpwrapper { vsftpd:
> > deny => true,
> > daemon => sshd,
> > host => [24.123.45.12, cracker.domain.com],
> > twist => '/bin/echo \"Access to %d has been denied for $a
> > \"'
> > }
> > "
>
> > ensurable
>
> > newparam(:name) do
> > desc "The name of the resource"
> > end
>
> > newparam(:allow) do
> > desc "Whether to allow access. Line will be appened to /etc/
> > hosts.allow"
> > end
>
> > newparam(:deny) do
> > desc "Whether to deny access. Line will be appened to /etc/
> > hosts.deny"
> > end
>
> It seems like it makes more sense to have a single parameter;
> something like:
>
> tcpwrapper { foo: ensure => allowed, ... }
>
>
>
> > newparam(:file) do
> > desc "The file to examine (and possibly modify) for the acl"
> > end
>
> > newparam(:line) do
> > desc "The acl to add or remove"
> > end
>
> How is this actually used? Your examples don't cover it.
>
>
I agree. So in this case, ensure would replace both 'file' and 'line'
parameters?
My original thought was to use the allow and deny parameters to help
decide what file to write the 'line' to. Because of the uniqueness
requirements, allow and deny acls would be written to either
host.allow or host.deny.
If I understand this correctly, the 'newproperty' statements should be
used to create the 'line' that will then be inserted into the 'file'
via the provider?
>
>
>
> > newproperty(:daemon, :array_matching => :all) do
> > desc "A list of one or more service daemons"
> > end
>
> > newproperty(:host, :array_matching => :all) do
> > desc "A list of one or more hostnames, ipaddresses, or
> > networks"
> > end
>
> > newproperty(:spawn) do
> > desc "Child process to be launched in the background"
> > end
>
> > newproperty(:twist) do
> > desc "Command to run in place of the requested service"
> > end
>
> > newproperty(:except_daemon, :array_matching => :all) do
> > desc "A list of one or more daemons to exclude from wildcard
> > matches"
> > end
>
> > newproperty(:except_host, :array_matching => :all) do
> > desc "A list of one or more hostnames, ipaddresses, or
> > networks to exclude from wildcard matches"
> > end
>
> The basic model seems correct. One problem, because of Puppet's
> resource uniqueness requirements at this point, is that you could only
> ever have one rule about a given service. That is, you couldn't do:
>
> tcpwrapper { foo: host => 'one.domain.com', ensure => allowed }
> tcpwrapper { foo: host => 'two.domain.com', ensure => denied }
>
> Puppet would see this as a conflict.
>
> --
> The conception of two people living together for twenty-five years
> without having a cross word suggests a lack of spirit only to be
> admired in sheep. --Alan Patrick Herbert
> ---------------------------------------------------------------------
> Luke Kanies |http://reductivelabs.com|http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
