PAM lens: order matters - enable 'ins'?

[leoarnold]

We all know, order matters in the /etc/pam.d/* files.

Currently, Augeas will read a file like this:

/files/etc/pam.d/sshd/6/module = "pam_env.so"

As far as I understand, it is not possible to insert a record before the record where /module = "pam_env.so" using the ins command.

As a fix, I would suggest changing seq to label in line 58 of pam.aug, i.e.

let record_svc = [ label "record" . indent . record ]

[raphink]

You can certainly insert a record before 6:

ins 01 before /files/etc/pam.d/sshd/6

should work perfectly fine. There's no need for numbers to follow each other in the tree, they're just numbers given by Augeas when it parses the tree in order to prevent identical labels.

[leoarnold]

Well, in the usual case (i.e. via puppet), you don't know the numbers.

Which commands could then do the following:

• Insert a record above all others?
• Insert a record as last line in the document?
• Insert a record right before the recored with module = "pam_env.so"?

[raphink]

• Insert a record above all others

ins 01 before /files/etc/pam.d/sshd/*[1]
set /files/etc/pam.d/sshd/01 "some value"

• Insert a record as last line in the document

set /files/etc/pam.d/sshd/01 "some value"

• Insert a record right before the record with module = "pam_env.so"

ins 01 before /files/etc/pam.d/sshd/*[module="pam_env.so"]
set /files/etc/pam.d/sshd/01 "some value"

Now in particular for this PAM module in Puppet, you probably want to use the pam provider from augeasproviders which is cleanly written in Ruby and has the features you want:

pam { "Set sss entry to system-auth auth":
  ensure    => present,
  service   => 'system-auth',
  type      => 'auth',
  control   => 'sufficient',
  module    => 'pam_sss.so',
  arguments => 'use_first_pass',
  position  => 'before module pam_deny.so',
}