Node: disable, Neste: , Forrige: directories, Opp: Command reference



disable

Disabling a file means renaming it so that it becomes harmless. This feature is useful if you want to prevent certain dangerous files from being around, but you don't want to delete them-- a deleted file cannot be examined later. The syntax is
     
      disable:
     
        class::
     
           /filename
                           type=plain/file/link/links
                           rotate=empty/truncate/numerical-value
                           size=numerical-value
                           define=classlist
                           syslog=true/on/false/off
                           inform=true/on/false/off
                           repository=destination directory
     
     

Cfengine renames a given file by appending the name of the file with the suffix .cfdisabled. A typical example of a file you would probably want to disable would be the /etc/hosts.equiv file which is often found with the + symbol written in it, opening the system concerned to the entire NIS universe without password protection! Here is an example:

     
     disable:
     
           /etc/hosts.equiv
           /etc/nologin
           /usr/lib/sendmail.fc
     
        sun4::
     
           /var/spool/cron/at.allow
     
     

Hint: The last example disables a file which restricts access to the at utility. Such a command could be followed by a file action, Se files,

     files:
     
        some::
     
           /var/spool/cron/at.allow =0644 N [root] [wheel] touch
     
     

which would create an empty security file at.allow. See also your system manual pages for the at command if you don't understand why this could be useful.

Disabling a link deletes the link. If you wish you may use the optional syntax

     
     disable:
     
         /directory/name type=file
     
     

to specify that a file object should only be disabled if it is a plain file. The optional element type= can take the values plain, file, link or links. If one of these is specified, cfengine checks the type and only disables the object if there is a match. This allows you to disable a file and replace it by a link to another file for instance.

NOTE that if you regularly disable a file which then gets recreated by some process, the disabled file filename.cfdisabled will be overwritten each time cfengine disables the file and therefore the contents of the original are lost each time. The rotate facility was created for just this contingency.

The disable feature can be used to control the size of system log files, such as /var/adm/messages using a further option rotate. If the value rotate is set to 4, say,

     
      disable:
     
         filename  rotate=4
     
     

then cfengine renames the file concerned by appending `.1' to it and a new, empty file is created in its place with the same owner and permissions. The next time disable is executed `.1' is renamed to `.2' and the file is renamed `.1' and a new empty file is created with the same permissions. Cfengine continues to rotate the files like this keeping a maximum of four files. This is similar to the behaviour of syslog.

If you simply want to empty the contents of a log file, without retaining a copy then you can use rotate=empty or rotate=truncate. For instance, to keep control of your World Wide Web server logs:

     disable:
     
        Sunday|Wednesday::
     
            /usr/local/httpd/logs/access_log  rotate=empty
     

This keeps a running log which is emptied each Sunday and Wednesday.

The size= option in disable allows you to carry out a disable operation only if the size of the file is less than, equal to or greater than some specified size. Sizes are in bytes by default, but may also be quoted in kilobytes or megabytes using the notation:

     
     numberbytes
     numberkbytes
     numbermbytes
     
     

Only the first characters of these strings are significant, so they may be written however is convenient: e.g. 14kB, 14k, 14kilobytes etc. Examples are:

     
        size=<400  # disable if file size is < 400 bytes
        size=400   # disable if file size is equal to 400 bytes
        size=>400  # disable if file size > 400 bytes
     
     

This options works with rotate or normal disabling; it is just an extra condition which must be satisfied.

If a disable command results in action being taken by cfengine, an optional list of classes becomes can be switched on with the aid of a statement define=classlist in order to trigger knock-on actions.

The repository declaration allows a local override of the Repository variable, on an item by item basis. If set to "off" or "none" it cancels the value of a global repository and leaves the disabled file in the same directory.