Merge pull request dev-sec#117 from dev-sec/shadow_owner

change shadow owner in debian systems
divialth · Mar 1, 2017 · 87b6b88 · 87b6b88
2 parents 3a7303e + b2b4ef7
commit 87b6b88
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 8 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -18,14 +18,6 @@ os_auth_sys_uid_max: 999
 os_auth_sys_gid_min: 100
 os_auth_sys_gid_max: 999
 
-# Different distros use different standards for /etc/shadow perms, e.g.
-# RHEL derivatives use root:root 0600, whereas Debian-based use root:shadow 0640.
-# You must provide key/value pairs for owner, group, and mode if overriding.
-os_shadow_perms:
-  owner: root
-  group: root
-  mode: "0600"
-
 os_chfn_restrict: ''
 # may contain: change_user
 os_security_users_allow: []

diff --git a/vars/Debian.yml b/vars/Debian.yml
@@ -4,3 +4,11 @@ os_packages_pam_cracklib: 'libpam-cracklib'
 passwdqc_path: '/usr/share/pam-configs/passwdqc'
 tally2_path: '/usr/share/pam-configs/tally2'
 os_nologin_shell_path: '/usr/sbin/nologin'
+
+# Different distros use different standards for /etc/shadow perms, e.g.
+# RHEL derivatives use root:root 0600, whereas Debian-based use root:shadow 0640.
+# You must provide key/value pairs for owner, group, and mode if overriding.
+os_shadow_perms:
+  owner: root
+  group: shadow
+  mode: "0640"
diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml
@@ -2,3 +2,11 @@ os_packages_pam_ccreds:  'pam_ccreds'
 os_packages_pam_passwdqc:  'pam_passwdqc'
 os_packages_pam_cracklib:  'pam_cracklib'
 os_nologin_shell_path: '/sbin/nologin'
+
+# Different distros use different standards for /etc/shadow perms, e.g.
+# RHEL derivatives use root:root 0600, whereas Debian-based use root:shadow 0640.
+# You must provide key/value pairs for owner, group, and mode if overriding.
+os_shadow_perms:
+  owner: root
+  group: root
+  mode: "0600"
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
@@ -2,3 +2,11 @@ os_packages_pam_ccreds: 'pam_ccreds'
 os_packages_pam_passwdqc: 'pam_passwdqc'
 os_packages_pam_cracklib: 'pam_cracklib'
 os_nologin_shell_path: '/sbin/nologin'
+
+# Different distros use different standards for /etc/shadow perms, e.g.
+# RHEL derivatives use root:root 0600, whereas Debian-based use root:shadow 0640.
+# You must provide key/value pairs for owner, group, and mode if overriding.
+os_shadow_perms:
+  owner: root
+  group: root
+  mode: "0600"