Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add oddjob mkhomedir option rhel pam #675

Merged
merged 7 commits into from
May 23, 2023
Merged

Add oddjob mkhomedir option rhel pam #675

merged 7 commits into from
May 23, 2023

Conversation

imp1sh
Copy link
Contributor

@imp1sh imp1sh commented May 22, 2023

Added mkhomedir option for RedHat based systems, e.g. in FreeIPA environments.

@imp1sh imp1sh mentioned this pull request May 22, 2023
Closed
@rndmh3ro
Copy link
Member

Can you please add the variable to the readme, with a description?

And please sign-off your commits as described here: https://github.com/dev-sec/ansible-collection-hardening/pull/675/checks?check_run_id=13660004577

Other than that: looks good!

Jochen Demmer added 5 commits May 22, 2023 16:12
added variable description
d1e6eaf 
Signed-off-by: Jochen Demmer <[email protected]>
added support for oddjob mkhomedir via optional var
290c2b9 
Signed-off-by: Jochen Demmer <[email protected]>
optimized conditional
593996f 
Signed-off-by: Jochen Demmer <[email protected]>
added variable description
fec5391 
Signed-off-by: Jochen Demmer <[email protected]>
t push
325903e 
Merge branch 'master' of github.com:imp1sh/ansible-collection-hardening
@imp1sh
Copy link
Contributor Author

imp1sh commented May 22, 2023

Ok, what's wrong with the variable names (Ansible Lint)? I don't get it.

@rndmh3ro
Copy link
Member

It's a new requirement, you can ignore it.

@rndmh3ro rndmh3ro merged commit f3337f3 into dev-sec:master May 23, 2023
schurzi
schurzi reviewed May 23, 2023
View reviewed changes
roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
@@ -47,6 +47,9 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
{% if (os_auth_pam_oddjob_mkhomedir | bool) %}
session optional pam_oddjob_mkhomedir.so umask=0077
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry for being late to the party.
We have a special variable fo setting the expected umask (os_env_umask). While checking for this, I also found, that this setting might be ignored, because of authselect/authselect#223

So no real problem here, but a minor inconvenience from my point of view.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schurzi schurzi schurzi left review comments

Assignees
No one assigned
Labels
enhancement minor os_hardening
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@imp1sh @rndmh3ro @schurzi