[patch] Unexpected permissions in files: rules (cfengine 2)

Thu, 29 Apr 2010 04:51:31 -0700

This issue affects creating new files or directories with + and - rules in the mode rather than an explicit octal value. Extra permission bits are set in this case. 

  Simple files: rule to demonstrate:

    files:
      /tmp/cfengine/. mode=755 action=create

      # Simulate a pre-existing file and directory.
      /tmp/cfengine/file_with_mode mode=600 action=create
      /tmp/cfengine/dir_with_mode/. mode=700 action=create

      # Ensure that the owner and group have access.
      /tmp/cfengine/file_with_mode mode=u+rw,g+r action=create
      /tmp/cfengine/dir_with_mode/. mode=u+rwx,g+rx action=create

      # Same for new paths we will create.
      /tmp/cfengine/file_with_plusminus mode=u+rw,g+r action=create
      /tmp/cfengine/dir_with_plusminus/. mode=u+rwx,g+rx action=create
The expected result (specifically, the result I personally was expecting) of running this file rule is that file_with_mode will end up with mode 640, dir_with_mode will end up with mode 750, file_with_plusminus will end up with 640 or 644 or something depending on the umask and dir_with_plusminus will end up with 750 or 755 or something. 

  In fact they end up as follows:

    drwxr-x--- dir_with_mode
    drwxrwsrwt dir_with_plusminus
    -rw-r----- file_with_mode
    -rw-rwsrwt file_with_plusminus
Whilst it's true that the files did end up with *at least* the permissions I asked for, the other bits are quite unexpected.
The problem is that CheckExistingFile() computes the new permissions based on the result of stat()ing the existing file and since the file is to be created the stat() results are undefined. Fixing it is as simple as zeroing the buffer before doing the stat(). 

    drwxr-x--- dir_with_mode
    drwxr-x--- dir_with_plusminus
    -rw-r----- file_with_mode
    -rw-r----- file_with_plusminus
The patch is against 2.2.10 as that's what I'm using but it's a one-liner so should apply to SVN too. 
--- cfengine-2.2.10/src/wrapper.c
+++ cfengine-2.2.10/src/wrapper.c
@@ -178,6 +178,7 @@ if (IsWildItemIn(ptr->exclusions,lastnode))
 
 Debug("Checking wrapped file object %s\n",ptr->path);
 
+memset(&statbuf, 0, sizeof(statbuf));
 if (stat(startpath,&statbuf) == -1)
    {
    snprintf(OUTPUT,CF_BUFSIZE*2,"Cannot access file/directory %s\n",ptr->path);

_______________________________________________
Bug-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/bug-cfengine

Reply via email to