V-38500: No UID 0 accounts except root

This task will check for accounts with UID that aren't root. No action is taken on these accounts, but the playbook will fail with an error message. Change-Id: I2cd2a24c64e4139ce21fbe30107346e30b280e62
2015-10-07 11:04:33 -05:00 · 2015-10-07 11:04:33 -05:00 · e33d274a71
commit e33d274a71
parent 241f6cd074
2 changed files with 25 additions and 0 deletions
--- a/doc/source/developer-notes/V-38500.rst
+++ b/doc/source/developer-notes/V-38500.rst
@ -0,0 +1,7 @@
+The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0
+that aren't the normal root account. If any matching accounts are found, a
+warning is printed to stdout and the Ansible play will fail.
+
+No action is taken on those accounts as that action may disrupt a production
+environment.  Deployers are strongly urged to use ``sudo`` for these types of
+actions.
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -109,6 +109,24 @@
    - cat1
    - V-38491

+- name: Check for accounts with UID 0 other than root (for V-38500)
+  shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l"
+  register: v38500_result
+  changed_when: v38500_result.stdout != '0'
+  tags:
+    - auth
+    - cat2
+    - V-38500
+
+- name: V-38500 - The root account must be the only account with UID 0
+  fail:
+    msg: "FAILED: Another account besides root has UID 0"
+  when: v38500_result.stdout != '0'
+  tags:
+    - auth
+    - cat2
+    - V-38500
+
 - name: V-38591 - Remove rshd
  apt:
    name: rsh-server