Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pamd overwrites comment when adding a new rule with state:after #9374

Open
1 task done
ilia-kats opened this issue Dec 25, 2024 · 2 comments
Open
1 task done

pamd overwrites comment when adding a new rule with state:after #9374

ilia-kats opened this issue Dec 25, 2024 · 2 comments
Labels
bug This issue/PR relates to a bug module module plugins plugin (any type)

Comments

@ilia-kats
Copy link

Summary

When adding a new PAM rule after a present rule and there is a comment present, pamd overwrites the comment.

I'm trying to add a module to common-session. Its original state is

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session	[default=1]			pam_permit.so
# here's the fallback if no module succeeds
session	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional			pam_sss.so 
session	optional	pam_systemd.so 
# end of pam-auth-update config

Issue Type

Bug Report

Component Name

pamd

Ansible Version

$ ansible --version
ansible [core 2.18.1]
  config file = /home/ilia/.../ansible.cfg
  configured module search path = ['/home/ilia/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.13/site-packages/ansible
  ansible collection location = /home/ilia/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.13.1 (main, Dec  4 2024, 18:05:56) [GCC 14.2.1 20240910] (/usr/bin/python)
  jinja version = 3.1.5
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
# /usr/lib/python3.13/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 10.1.0

Configuration

$ ansible-config dump --only-changed

OS / Environment

control: Arch Linux
managed: Debian 12

Steps to Reproduce

- name: autocreate user home directory
  community.general.pamd:
    name: common-session
    type: session
    control: optional
    module_path: pam_systemd.so
    new_type: session
    new_control: optional
    new_module_path: pam_mkhomedir.so
    module_arguments: "umask=0077"
    state: after

Expected Results

Either

[...]
session	optional	pam_systemd.so 
# end of pam-auth-update config
session    optional pam_mkhomedir.so umask=0077

or

[...]
session	optional	pam_systemd.so 
session    optional pam_mkhomedir.so umask=0077
# end of pam-auth-update config

In addition, it would be great if there was an argument to pamd to specify if the new rule is to be inserted before or after comments. In this case, I would like it to be after the comment, but there may be other usecases.

Actual Results

#
# Updated by Ansible - 2024-12-25T21:03:49.123606
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session    [default=1] pam_permit.so
# here's the fallback if no module succeeds
session    requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session    required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session    required pam_unix.so
session    optional pam_sss.so
session    optional pam_systemd.so
session    optional pam_mkhomedir.so umask=0077

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@ansibullbot
Copy link
Collaborator

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot
Copy link
Collaborator

cc @kevensen
click here for bot help

@ansibullbot ansibullbot added bug This issue/PR relates to a bug module module plugins plugin (any type) labels Dec 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue/PR relates to a bug module module plugins plugin (any type)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ilia-kats @ansibullbot