fix(R5.4.3). Correct regexes so that they match #98
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- The previous regex requires exactly *one* space between
`default=ignore]` and `pam_unix.so` which on a default OS installetion never matches, is now fixed
- The `.*` in `(.*)(remember=([0-9]{1,})|)` was greedy, which means that
everything after it never matches
- I name the groups now which is easier than the numbers
- I took care that when inserting a non-existing `remember=` before and after it is at least one space.
- A the same time I make sure that *not* on every run, an additonal
space is added on replacement, so that the line is *not* endlessly
growing.
- The `ansible.builtin.shell: grep 'password.*pam_unix.so' /etc/pam.d/common-password` do not require
the `[success=1 default=ignore]` but the lineinfile regexs did,
which would mean that the grep-regex match but not later lineinfile-regexes not ⇒
I updated it, so that no one requires the `[success=1 default=ignore]`
still prserves it.
Signed-off-by: Fabian Raab <[email protected]>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the Discord Server as well.
uk-bolly
approved these changes
Sep 25, 2023
raabf
deleted the
siemens/ubuntu22/r5_4_3-pam_d-password_reuse_limited
branch
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overall Review of Changes:
The core is that I improved a regex which do not match:
to
Issue Fixes:
N/A
Enhancements:
default=ignore]andpam_unix.sowhich on a default OS installation never matches, is now fixed.*in(.*)(remember=([0-9]{1,})|)of the old regex is greedy, which means thateverything after it never matches.
remember=, before and after at least one space is inserted.space is added on replacement, so that the line is not endlessly
growing.
ansible.builtin.shell: grep 'password.*pam_unix.so' /etc/pam.d/common-passworddo not requirethe
[success=1 default=ignore]but the lineinfile regexes did,which would mean that the grep-regex match but not later lineinfile-regexes not ⇒
I updated it, so that no one requires the
[success=1 default=ignore], butit will still preserve that part.
[^\S\n], this is the shortest way to describe what in other regex-languages is known as\h(horizontal whitespace). Compared to\sthis helps especially when there are only empty matches after it.How has this been tested?:
Some manual runs of the changed task which inserted or kept
remember=option correctly, andMatching Examples to see regex in action: https://regex101.com/r/Kuxcwj