Merge pull request #113 from mcgege/usergroups

Make paramater USERGROUPS_ENAB in login.defs configurable
dev-sec · Jan 10, 2018 · f4d2172 · f4d2172
2 parents 1499296 + 67aac22
commit f4d2172
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -36,6 +36,8 @@ This Puppet module provides secure configuration of your base OS with hardening.
   add additional paths to the user's `PATH` variable (default is empty).
 * `umask = "027"`
   umask used for the creation of new home directories by useradd / newusers
+* `usergroups = true`
+  true if you want separate groups for each user, false otherwise
 * `password_max_age = 60`
   maximum password age
 * `password_min_age = 7`

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -14,6 +14,7 @@
 
   $extra_user_paths         = [],
   $umask                    = undef,
+  $usergroups               = true,
   $sys_uid_min              = undef,
   $sys_gid_min              = undef,
   $password_max_age         = 60,
@@ -118,6 +119,7 @@
   class { 'os_hardening::login_defs':
     extra_user_paths         => $extra_user_paths,
     umask                    => $merged_umask,
+    usergroups               => $usergroups,
     sys_uid_min              => $merged_sys_uid_min,
     sys_gid_min              => $merged_sys_gid_min,
     password_max_age         => $password_max_age,

diff --git a/manifests/login_defs.pp b/manifests/login_defs.pp
@@ -12,6 +12,7 @@
 class os_hardening::login_defs (
   $extra_user_paths         = [],
   $umask                    = '027',
+  $usergroups               = true,
   $sys_uid_min              = 100,
   $sys_gid_min              = 100,
   $password_max_age         = 60,
@@ -25,6 +26,9 @@
   # prepare all variables
   $additional_user_paths = join($extra_user_paths, ':')
 
+  # convert bool to yes/no
+  $usergroups_yn = bool2str($usergroups, 'yes', 'no')
+
   # set the file
   file { '/etc/login.defs':
       ensure  => file,

diff --git a/templates/login.defs.erb b/templates/login.defs.erb
@@ -88,7 +88,7 @@ UMASK   <%= @umask %>
 
 # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
 # If set to yes, userdel will remove the user's group if it contains no more members, and useradd will create by default a group with the name of the user.
-USERGROUPS_ENAB yes
+USERGROUPS_ENAB <%= @usergroups_yn %>
 
 
 # Password aging controls