Conside a promise that confirms file ownership and permissions. That is
three things to check.
Primise is that /tmp/foo should be nwatson:bin and 0600.
owner is wrong:
[r...@unxxhd01 inputs]# ls -l /tmp/foo
-rw------- 1 root bin 0 Dec 7 14:13 /tmp/foo
[r...@unxxhd01 inputs]# cf-agent -Kf ./bar.cf
!! File /tmp/foo is owned by [root], group [bin]
I: Made in version 'not specified' of './bar.cf' near line 18
!! File /tmp/foo is owned by [root], group [bin]
I: Made in version 'not specified' of './bar.cf' near line 18
R: /tmp/foo perms correct.
!! File /tmp/foo is owned by [root], group [bin]
I: Made in version 'not specified' of './bar.cf' near line 18
!! File /tmp/foo is owned by [root], group [bin]
I: Made in version 'not specified' of './bar.cf' near line 18
group is wrong:
[r...@unxxhd01 inputs]# ls -l /tmp/foo
-rw------- 1 nwatson root 0 Dec 7 14:13 /tmp/foo
[r...@unxxhd01 inputs]# cf-agent -f ./bar.cf
!! File /tmp/foo is owned by [nwatson], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
!! File /tmp/foo is owned by [nwatson], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
!! File /tmp/foo is owned by [nwatson], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
R: /tmp/foo perms correct.
owner and group wrong:
[r...@unxxhd01 inputs]# ls -l /tmp/foo
-rw------- 1 root root 0 Dec 7 14:13 /tmp/foo
[r...@unxxhd01 inputs]# cf-agent -Kf ./bar.cf
!! File /tmp/foo is owned by [root], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
!! File /tmp/foo is owned by [root], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
R: /tmp/foo perms correct.
!! File /tmp/foo is owned by [root], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
!! File /tmp/foo is owned by [root], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
mode is wrong:
[r...@unxxhd01 inputs]# ls -l /tmp/foo
-rw-r--r-- 1 nwatson bin 0 Dec 7 14:13 /tmp/foo
[r...@unxxhd01 inputs]# cf-agent -Kf ./bar.cf
!! /tmp/foo has permission 644 - [should be 600]
I: Made in version 'not specified' of './bar.cf' near line 18
!! /tmp/foo has permission 644 - [should be 600]
I: Made in version 'not specified' of './bar.cf' near line 18
!! /tmp/foo has permission 644 - [should be 600]
I: Made in version 'not specified' of './bar.cf' near line 18
!! /tmp/foo has permission 644 - [should be 600]
I: Made in version 'not specified' of './bar.cf' near line 18
all is wrong:
-rw-r--r-- 1 root root 0 Dec 7 14:13 /tmp/foo
[r...@unxxhd01 inputs]# cf-agent -Kf ./bar.cf
!! File /tmp/foo is owned by [root], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
!! /tmp/foo has permission 644 - [should be 600]
I: Made in version 'not specified' of './bar.cf' near line 18
!! File /tmp/foo is owned by [root], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
!! /tmp/foo has permission 644 - [should be 600]
I: Made in version 'not specified' of './bar.cf' near line 18
!! File /tmp/foo is owned by [root], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
!! /tmp/foo has permission 644 - [should be 600]
I: Made in version 'not specified' of './bar.cf' near line 18
!! File /tmp/foo is owned by [root], group [root]
I: Made in version 'not specified' of './bar.cf' near line 18
!! /tmp/foo has permission 644 - [should be 600]
I: Made in version 'not specified' of './bar.cf' near line 18
Notice that when the owner and/or group is wrong but the mode is correct
the promise is defined as kept since the report promise is seen. Evidence
suggests that CF ignores ownership in this promise when considering
whether the promise has been kept. Also, as mentioned in another thread
when the owner and group is wrong Cf shows this but unlike when the mode
is wrong does not show what the group and mode should be.
Test case:
######################
body common control {
bundlesequence => { "test" };
}
bundle common g {
classes:
"all" expression => "any";
}
bundle agent test {
files:
any::
"/tmp/foo"
action => warn_now,
perms => system(
"0600",
"nwatson",
"bin"
),
classes => cdefine(
"/tmp/foo_kept",
"/tmp/foo_repaired",
"/tmp/foo_failed"
);
reports:
all::
"/tmp/foo perms correct.",
ifvarclass => canonify("/tmp/foo_kept");
"WARNING: /tmp/foo perms fixed.",
ifvarclass => canonify("/tmp/foo_repaired");
"ALARM: /tmp/foo perms could not be fixed.",
ifvarclass => canonify("/tmp/foo_failed");
}
body classes cdefine (k,r,f){
promise_kept => {canonify("${k}")};
promise_repaired => {canonify("${r}")};
repair_failed => {canonify("${f}")};
}
body perms system(p,u,g) {
mode => "${p}";
owners => { "${u}" };
groups => { "${g}" };
}
body action warn_now{
action_policy => "warn";
log_level => "inform";
background => "true";
}
Sincerely,
--
Neil Watson
416-673-3465
CONFIDENTIALITY WARNING
This communication, including any attachments, is for the exclusive use of
addressee and may contain proprietary and/or confidential information. If you
are not the intended recipient, any use, copying, disclosure, dissemination or
distribution is strictly prohibited. If you are not the intended recipient,
please notify the sender immediately by return e-mail, delete this
communication and destroy all copies.
AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ
Ce message, ainsi que les pièces qui y sont jointes, est destiné à l’usage
exclusif de la personne à laquelle il s’adresse et peut contenir de
l’information personnelle ou confidentielle. Si le lecteur de ce message n’en
est pas le destinataire, nous l’avisons par la présente que toute diffusion,
distribution, reproduction ou utilisation de son contenu est strictement
interdite. Veuillez avertir sur-le-champ l’expéditeur par retour de courrier
électronique et supprimez ce message ainsi que toutes les pièces jointes.
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
