Issue #4267 has been updated by Markus Roberts. Status changed from Ready for Testing to Ready for Checkin
I'd like to see more testing on this, but as there are no reported issues & it's by far the best solution anyone's proposed, it's at the very least rc-ready. ---------------------------------------- Bug #4267: ssh_authorized_users tries to save to local filebucket as non-root user http://projects.puppetlabs.com/issues/4267 Author: Jim Bala Status: Ready for Checkin Priority: Normal Assignee: Category: Target version: 2.6.2 Affected version: 2.6.0 Keywords: ssh_authorized_keys filebucket clientbucketdir Puppet::Util::SUIDManager Branch: http://github.com/jes5199/puppet/tree/ticket/2.6.x/4267 Full path: /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb Issue: Filebucketing is being done with euid set to the user that owns the authorized_keys file, which means it fails since a normal user could never write to /var/lib/puppet. I don't know enough ruby to be more detailed than that. The original line 64 in the file above is: Puppet::Util::SUIDManager.asuser(@resource.should(:user)) { super } The equivalent line didn't work in 0.25.4 or 0.25.5 and it still doesn't work in 2.6.0rc3 (RHEL5.5, rpm from tmz.fedoraproject.org). If I replace line 64 with the following line, it all works nicely. Puppet::Util::SUIDManager.asuser('root') { super } Here's the (sanitized) debug/trace output from puppetd -d: <pre> notice: /Stage[main]//Sshuser[someuser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]/ensure: created debug: Flushing ssh_authorized_key provider target /home/someuser/.ssh/authorized_keys info: FileBucket got a duplicate file /home/someuser/.ssh/authorized_keys ({md5}d41d8cd98f00b204e9800998ecf8427e) err: /Stage[main]//Sshuser[someuser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]: Could not evaluate: Could not back up /home/someuser/.ssh/authorized_keys: Permission denied - /var/lib/puppet/clientbucket/d/4/1/d/8/c/d/9/d41d8cd98f00b204e9800998ecf8427e/paths notice: /Stage[main]//Sshuser[otheruser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]/ensure: created debug: Flushing ssh_authorized_key provider target /home/someuser/.ssh/authorized_keys /usr/lib/ruby/1.8/fileutils.rb:1404:in `stat' /usr/lib/ruby/1.8/fileutils.rb:1404:in `fu_same?' /usr/lib/ruby/1.8/fileutils.rb:1378:in `fu_each_src_dest' /usr/lib/ruby/1.8/fileutils.rb:1395:in `fu_each_src_dest0' /usr/lib/ruby/1.8/fileutils.rb:1377:in `fu_each_src_dest' /usr/lib/ruby/1.8/fileutils.rb:382:in `cp' /usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:109:in `write' /usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `real_write' /usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `write' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:95:in `flush_target' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:69:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:339:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:64:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/util/suidmanager.rb:62:in `asuser' /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:64:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/type.rb:628:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:93:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:49:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:114:in `eval_children_and_apply_resource' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:92:in `eval_resource' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:143:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:414:in `thinmark' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:413:in `thinmark' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:142:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `evaluate' /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:144:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:152:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:175:in `benchmark' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:174:in `benchmark' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:151:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' /usr/lib/ruby/1.8/sync.rb:229:in `synchronize' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:101:in `with_client' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `call' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `controlled_run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime' /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:398:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run' /usr/sbin/puppetd:4 </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
