Untitled

# --------------------------------------------------------
#
# View information for use 'logcheck' using passwd and group files
#
# --------------------------------------------------------

# cat /etc/passwd | grep logcheck
logcheck:x:102:104:logcheck system account,,,:/var/lib/logcheck:/bin/false

# cat /etc/group | grep logcheck
adm:x:4:logcheck
mail:x:8:logcheck
logcheck:x:104:

# --------------------------------------------------------
#
# How I want 'logcheck' user to be configured via BCFG2.
# I tried to set this so that it matches the existing user.
#
# --------------------------------------------------------

# cat /var/lib/bcfg2/Properties/accounts.xml
<Properties>

  <!-- Make sure logcheck is a member of the mail group.  By default
          "he" isn't.  On our system logcheck needs to be, or "he" won't be
          able to send mail via sSMTP due to permissions on the ssmtp
          config file related to the presence of a non-critical clear-text
          password.
    -->
  <UnixUser name='logcheck'
	    uid='102'
	    group='logcheck'
	    gid='104'
	    gecos='logcheck system account'
	    home='/var/lib/logcheck'
	    shell='/bin/false'
	    extra_groups='adm mail' />

</Properties>

# --------------------------------------------------------
#
# Running bcfg2 in dry run mode gives no output or indication that
# the user 'logcheck' needs any changing
#
# --------------------------------------------------------

# bcfg2 -vn
Running probe accounts
Probe accounts has result:
U:root:0:root:root@tsw-policy:/root:/bin/bash:
U:daemon:1:daemon:daemon:/usr/sbin:/bin/sh:
U:bin:2:bin:bin:/bin:/bin/sh:
U:sys:3:sys:sys:/dev:/bin/sh:
U:sync:4:nogroup:sync:/bin:/bin/sync:
U:games:5:games:games:/usr/games:/bin/sh:
U:man:6:man:man:/var/cache/man:/bin/sh:
U:lp:7:lp:lp:/var/spool/lpd:/bin/sh:
U:mail:8:mail:mail:/var/mail:/bin/sh:
U:news:9:news:news:/var/spool/news:/bin/sh:
U:uucp:10:uucp:uucp:/var/spool/uucp:/bin/sh:
U:proxy:13:proxy:proxy:/bin:/bin/sh:
U:www-data:33:www-data:www-data:/var/www:/bin/sh:
U:backup:34:backup:backup:/var/backups:/bin/sh:
U:list:38:list:Mailing List Manager:/var/list:/bin/sh:
U:irc:39:irc:ircd:/var/run/ircd:/bin/sh:
U:gnats:41:gnats:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh:
U:nobody:65534:nogroup:nobody:/nonexistent:/bin/sh:
U:libuuid:100:libuuid::/var/lib/libuuid:/bin/sh:
U:sshd:101:nogroup::/var/run/sshd:/usr/sbin/nologin:
U:logcheck:102:logcheck:logcheck system account,,,:/var/lib/logcheck:/bin/false:
adm mail
G:root:0
G:daemon:1
G:bin:2
G:sys:3
G:adm:4
G:tty:5
G:disk:6
G:lp:7
G:mail:8
G:news:9
G:uucp:10
G:man:12
G:proxy:13
G:kmem:15
G:dialout:20
G:fax:21
G:voice:22
G:cdrom:24
G:floppy:25
G:tape:26
G:sudo:27
G:audio:29
G:dip:30
G:www-data:33
G:backup:34
G:operator:37
G:list:38
G:irc:39
G:src:40
G:gnats:41
G:shadow:42
G:utmp:43
G:video:44
G:sasl:45
G:plugdev:46
G:staff:50
G:games:60
G:users:100
G:nogroup:65534
G:libuuid:101
G:crontab:102
G:ssh:103
G:logcheck:104
Running probe groups
Probe groups has result:
group:amd64
Loaded tool drivers:
 APT      Action   DebInit  POSIX

Phase: initial
Correct entries:	253
Incorrect entries:	0
Total managed entries:	253
Unmanaged entries:	5


Phase: final
Correct entries:	253
Incorrect entries:	0
Total managed entries:	253
Unmanaged entries:	5

# --------------------------------------------------------
#
# Running bcfg not in dry-run mode suddenly wants to make a change
# to the 'logcheck' user, but why?  If I am correctly interpreting the
# usermod command it wants to run, this will have no effect on the system.
#
# Doesn't the bcfg2-accounts plugin query the system and check the existing
# user accounts before issuing the command to usermod?
#
# --------------------------------------------------------

# bcfg2 -I
Run Action usermod logcheck, /usr/sbin/usermod           -m           -u '102'           -g 'logcheck'           -G 'adm,mail'           -d '/var/lib/logcheck'           -s '/bin/false'           -c 'logcheck system account'              'logcheck': (y/N): N