Issue #4267 has been updated by Markus Roberts. Status changed from Unreviewed to Accepted Target version set to 2.6.1 Affected version changed from 2.6.0rc3 to 2.6.0
So it's very clear what the problem is (thank you!) but I'm not sure what to do about it. The change in commit:ae520057280c2454bc44c64ac1e6686bf2eb086d includes the (rather deeply nested, I fear) file backup inside the as-owner block. Perhaps this block wrapper could be pushed down, but the two ways I can think of to do it are both rather ugly. ---------------------------------------- Bug #4267: ssh_authorized_users tries to save to local filebucket as non-root user http://projects.puppetlabs.com/issues/4267 Author: Jim Bala Status: Accepted Priority: Normal Assigned to: Category: Target version: 2.6.1 Affected version: 2.6.0 Keywords: ssh_authorized_keys filebucket clientbucketdir Puppet::Util::SUIDManager Branch: Full path: /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb Issue: Filebucketing is being done with euid set to the user that owns the authorized_keys file, which means it fails since a normal user could never write to /var/lib/puppet. I don't know enough ruby to be more detailed than that. The original line 64 in the file above is: Puppet::Util::SUIDManager.asuser(@resource.should(:user)) { super } The equivalent line didn't work in 0.25.4 or 0.25.5 and it still doesn't work in 2.6.0rc3 (RHEL5.5, rpm from tmz.fedoraproject.org). If I replace line 64 with the following line, it all works nicely. Puppet::Util::SUIDManager.asuser('root') { super } Here's the (sanitized) debug/trace output from puppetd -d: notice: /Stage[main]//Sshuser[someuser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]/ensure: created debug: Flushing ssh_authorized_key provider target /home/someuser/.ssh/authorized_keys info: FileBucket got a duplicate file /home/someuser/.ssh/authorized_keys ({md5}d41d8cd98f00b204e9800998ecf8427e) err: /Stage[main]//Sshuser[someuser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]: Could not evaluate: Could not back up /home/someuser/.ssh/authorized_keys: Permission denied - /var/lib/puppet/clientbucket/d/4/1/d/8/c/d/9/d41d8cd98f00b204e9800998ecf8427e/paths notice: /Stage[main]//Sshuser[otheruser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]/ensure: created debug: Flushing ssh_authorized_key provider target /home/someuser/.ssh/authorized_keys /usr/lib/ruby/1.8/fileutils.rb:1404:in `stat' /usr/lib/ruby/1.8/fileutils.rb:1404:in `fu_same?' /usr/lib/ruby/1.8/fileutils.rb:1378:in `fu_each_src_dest' /usr/lib/ruby/1.8/fileutils.rb:1395:in `fu_each_src_dest0' /usr/lib/ruby/1.8/fileutils.rb:1377:in `fu_each_src_dest' /usr/lib/ruby/1.8/fileutils.rb:382:in `cp' /usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:109:in `write' /usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `real_write' /usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `write' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:95:in `flush_target' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:69:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:339:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:64:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/util/suidmanager.rb:62:in `asuser' /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:64:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/type.rb:628:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:93:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:49:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:114:in `eval_children_and_apply_resource' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:92:in `eval_resource' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:143:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:414:in `thinmark' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:413:in `thinmark' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:142:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:144:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:152:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:175:in `benchmark' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:174:in `benchmark' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:151:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' /usr/lib/ruby/1.8/sync.rb:229:in `synchronize' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:101:in `with_client' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `call' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `controlled_run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime' /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:398:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run' /usr/sbin/puppetd:4 -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
