Issue #4267 has been updated by Jesse Wolfe. Status changed from Accepted to Ready for Testing Branch set to http://github.com/jes5199/puppet/tree/ticket/2.6.x/4267
---------------------------------------- Bug #4267: ssh_authorized_users tries to save to local filebucket as non-root user http://projects.puppetlabs.com/issues/4267 Author: Jim Bala Status: Ready for Testing Priority: Normal Assignee: Category: Target version: 2.6.2 Affected version: 2.6.0 Keywords: ssh_authorized_keys filebucket clientbucketdir Puppet::Util::SUIDManager Branch: http://github.com/jes5199/puppet/tree/ticket/2.6.x/4267 Full path: /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb Issue: Filebucketing is being done with euid set to the user that owns the authorized_keys file, which means it fails since a normal user could never write to /var/lib/puppet. I don't know enough ruby to be more detailed than that. The original line 64 in the file above is: Puppet::Util::SUIDManager.asuser(@resource.should(:user)) { super } The equivalent line didn't work in 0.25.4 or 0.25.5 and it still doesn't work in 2.6.0rc3 (RHEL5.5, rpm from tmz.fedoraproject.org). If I replace line 64 with the following line, it all works nicely. Puppet::Util::SUIDManager.asuser('root') { super } Here's the (sanitized) debug/trace output from puppetd -d: <pre> notice: /Stage[main]//Sshuser[someuser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]/ensure: created debug: Flushing ssh_authorized_key provider target /home/someuser/.ssh/authorized_keys info: FileBucket got a duplicate file /home/someuser/.ssh/authorized_keys ({md5}d41d8cd98f00b204e9800998ecf8427e) err: /Stage[main]//Sshuser[someuser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]: Could not evaluate: Could not back up /home/someuser/.ssh/authorized_keys: Permission denied - /var/lib/puppet/clientbucket/d/4/1/d/8/c/d/9/d41d8cd98f00b204e9800998ecf8427e/paths notice: /Stage[main]//Sshuser[otheruser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]/ensure: created debug: Flushing ssh_authorized_key provider target /home/someuser/.ssh/authorized_keys /usr/lib/ruby/1.8/fileutils.rb:1404:in `stat' /usr/lib/ruby/1.8/fileutils.rb:1404:in `fu_same?' /usr/lib/ruby/1.8/fileutils.rb:1378:in `fu_each_src_dest' /usr/lib/ruby/1.8/fileutils.rb:1395:in `fu_each_src_dest0' /usr/lib/ruby/1.8/fileutils.rb:1377:in `fu_each_src_dest' /usr/lib/ruby/1.8/fileutils.rb:382:in `cp' /usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:109:in `write' /usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `real_write' /usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `write' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:95:in `flush_target' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:69:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:339:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:64:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/util/suidmanager.rb:62:in `asuser' /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:64:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/type.rb:628:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:93:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:49:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:114:in `eval_children_and_apply_resource' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:92:in `eval_resource' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:143:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:414:in `thinmark' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:413:in `thinmark' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:142:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:144:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:152:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:175:in `benchmark' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:174:in `benchmark' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:151:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' /usr/lib/ruby/1.8/sync.rb:229:in `synchronize' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:101:in `with_client' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `call' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `controlled_run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime' /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:398:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run' /usr/sbin/puppetd:4 </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
