[MediaWiki-commits] [Gerrit] operations/puppet[production]: user homes: Allow git to control +x for $HOME files

[Alexandros Kosiaris (Code Review)]

Alexandros Kosiaris has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/377056 )

Change subject: user homes: Allow git to control +x for $HOME files
......................................................................


user homes: Allow git to control +x for $HOME files

Using an octal mode for recursive management of per-user home directory
contents forces exactly those permissions on the managed files. This
means that files like $HOME/bin/foo will end up provisioned with 0644
permissions even if the file was stored in git with `--chmod=+x`
permissions. Using symbolic permissions instead will only modify the
bits that have been explicitly provided. The new symbolic mode will
ensure that files are readable by all users, directories are traversable
by all users, and both files and directories are writable by the owner.
The execute bit for files will not be modified from the git managed
value.

Change-Id: I6bd9be8a946fef97df4b1f759a50afb59561ae15
---
M modules/admin/manifests/user.pp
1 file changed, 12 insertions(+), 9 deletions(-)

Approvals:
  Alexandros Kosiaris: Verified; Looks good to me, approved
  Addshore: Looks good to me, but someone else must approve



diff --git a/modules/admin/manifests/user.pp b/modules/admin/manifests/user.pp
index 310d8f1..e7f45f3 100644
--- a/modules/admin/manifests/user.pp
+++ b/modules/admin/manifests/user.pp
@@ -71,18 +71,21 @@
     # Puppet chokes if we try to absent subfiles to /home/${user}
     if $ensure == 'present' {
         file { "/home/${name}":
-            ensure       => ensure_directory($ensure),
-            source       => [
+            ensure             => ensure_directory($ensure),
+            source             => [
                 "puppet:///modules/admin/home/${name}/",
                 'puppet:///modules/admin/home/skel/',
             ],
-            sourceselect => 'first',
-            recurse      => 'remote',
-            mode         => '0644',
-            owner        => $name,
-            group        => $gid,
-            force        => true,
-            require      => User[$name],
+            sourceselect       => 'first',
+            recurse            => 'remote',
+            # Use source_permissions so that +x bit from git will be applied
+            # on the files when they are provisioned on hosts.
+            source_permissions => 'use',
+            mode               => undef,
+            owner              => $name,
+            group              => $gid,
+            force              => true,
+            require            => User[$name],
         }
     }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/377056
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I6bd9be8a946fef97df4b1f759a50afb59561ae15
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Addshore <addshorew...@gmail.com>
Gerrit-Reviewer: Alex Monk <kren...@gmail.com>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits