Should files_remove_setuid be an Array?

[andylytical]

profile_system_auth::kerberos::files_remove_setuid reads as if it should be an array.

Should this be changed?

Leave implementation as-is for now and see if any usage or functionality issues arise. There may be need to extend this functionality to additional files in the future and if so, then implementation can be reviewed then.

[andylytical]

Regarding: #2 (comment)
Long term, I think perhaps we should move this out of this profile and into more generic security hardening module/profile that can address multiple issues like setuid, setgid, etc.

I think all items related to a given service should be managed only by the module or profile that configures it. Otherwise, we run into issues like:

• multiple modules attempt to control the same resource (ie: the same file)
• service related items are spread out in multiple places making it unclear where a given resource is managed

Using kerberos for example, I'd prefer that all kerberos related settings / changes remain in one place, such as puppet-kerberos. In fact, the setuid change probably belongs there (kerberos module) more than here (system auth).

[billglick]

profile_system_auth::kerberos::files_remove_setuid is a Hash specifically to:

1. allow it to be overridden with other modes. Perhaps that will never be necessary?
2. allow it to be ensured via ensure_resources, which I think requires a Hash parameter.