Issue #4267 has been reported by Jim Bala.
----------------------------------------
Bug #4267: ssh_authorized_users tries to save to local filebucket as non-root
user
http://projects.puppetlabs.com/issues/4267
Author: Jim Bala
Status: Unreviewed
Priority: Normal
Assigned to:
Category:
Target version:
Affected version: 2.6.0rc3
Keywords: ssh_authorized_keys
filebucket
clientbucketdir
Puppet::Util::SUIDManager
Branch:
Full path:
/usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb
Issue:
Filebucketing is being done with euid set to the user
that owns the authorized_keys file, which means it fails since a
normal user could never write to /var/lib/puppet.
I don't know enough ruby to be more detailed than that.
The original line 64 in the file above is:
Puppet::Util::SUIDManager.asuser(@resource.should(:user)) { super }
The equivalent line didn't work in 0.25.4 or 0.25.5 and it still
doesn't work in 2.6.0rc3 (RHEL5.5, rpm from tmz.fedoraproject.org).
If I replace line 64 with the following line, it all works nicely.
Puppet::Util::SUIDManager.asuser('root') { super }
Here's the (sanitized) debug/trace output from puppetd -d:
notice:
/Stage[main]//Sshuser[someuser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]/ensure:
created
debug: Flushing ssh_authorized_key provider target
/home/someuser/.ssh/authorized_keys
info: FileBucket got a duplicate file
/home/someuser/.ssh/authorized_keys
({md5}d41d8cd98f00b204e9800998ecf8427e)
err:
/Stage[main]//Sshuser[someuser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]:
Could not evaluate: Could not back up
/home/someuser/.ssh/authorized_keys: Permission denied -
/var/lib/puppet/clientbucket/d/4/1/d/8/c/d/9/d41d8cd98f00b204e9800998ecf8427e/paths
notice:
/Stage[main]//Sshuser[otheruser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]/ensure:
created
debug: Flushing ssh_authorized_key provider target
/home/someuser/.ssh/authorized_keys
/usr/lib/ruby/1.8/fileutils.rb:1404:in `stat'
/usr/lib/ruby/1.8/fileutils.rb:1404:in `fu_same?'
/usr/lib/ruby/1.8/fileutils.rb:1378:in `fu_each_src_dest'
/usr/lib/ruby/1.8/fileutils.rb:1395:in `fu_each_src_dest0'
/usr/lib/ruby/1.8/fileutils.rb:1377:in `fu_each_src_dest'
/usr/lib/ruby/1.8/fileutils.rb:382:in `cp'
/usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:109:in `write'
/usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `real_write'
/usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `write'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:95:in `flush_target'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:69:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `each'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:339:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:64:in
`flush'
/usr/lib/ruby/site_ruby/1.8/puppet/util/suidmanager.rb:62:in `asuser'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:64:in
`flush'
/usr/lib/ruby/site_ruby/1.8/puppet/type.rb:628:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:93:in
`evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:49:in `apply'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:114:in
`eval_children_and_apply_resource'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:92:in `eval_resource'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:143:in `evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:414:in `thinmark'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
/usr/lib/ruby/1.8/benchmark.rb:307:in `realtime'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:413:in `thinmark'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:142:in `evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `each'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:144:in `apply'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:152:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:175:in `benchmark'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
/usr/lib/ruby/1.8/benchmark.rb:307:in `realtime'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:174:in `benchmark'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:151:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/1.8/sync.rb:229:in `synchronize'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:101:in `with_client'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `call'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `controlled_run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime'
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:398:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run'
/usr/sbin/puppetd:4
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
