Issue #4267 has been updated by Sylvain Avril.
There's another problem not corrected by this patch. This ressource will fail
if the authorized_keys file is read only (chmod 400). I don't use directly
filebucket so I don't if it's filebucket related or authorized_keys related.
Here's the debug trace :
[...]
notice:
/Stage[main]/Common::Base_socram/ssh_authorized_key...@myserver]/ensure: created
debug: Finishing transaction -607004668
info: FileBucket got a duplicate file /usr/home/socadm/.ssh/authorized_keys
({md5}1dc88990274df9c14379dcfbf7c97d66)
debug: Flushing ssh_authorized_key provider target
/home/socadm/.ssh/authorized_keys
/usr/lib/ruby/1.8/fileutils.rb:1246:in `initialize'
/usr/lib/ruby/1.8/fileutils.rb:1246:in `open'
/usr/lib/ruby/1.8/fileutils.rb:1246:in `copy_file'
/usr/lib/ruby/1.8/fileutils.rb:1245:in `open'
/usr/lib/ruby/1.8/fileutils.rb:1245:in `copy_file'
/usr/lib/ruby/1.8/fileutils.rb:459:in `copy_file'
/usr/lib/ruby/1.8/fileutils.rb:383:in `cp'
/usr/lib/ruby/1.8/fileutils.rb:1379:in `fu_each_src_dest'
/usr/lib/ruby/1.8/fileutils.rb:1395:in `fu_each_src_dest0'
/usr/lib/ruby/1.8/fileutils.rb:1377:in `fu_each_src_dest'
/usr/lib/ruby/1.8/fileutils.rb:382:in `cp'
/usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:109:in `write'
/usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `real_write'
/usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `write'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:95:in `flush_target'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:69:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `each'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:339:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:71:in
`flush'
/usr/lib/ruby/site_ruby/1.8/puppet/util/suidmanager.rb:62:in `asuser'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:71:in
`flush'
/usr/lib/ruby/site_ruby/1.8/puppet/type.rb:636:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:93:in
`evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:49:in `apply'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:114:in
`eval_children_and_apply_resource'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:92:in `eval_resource'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:143:in `evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:414:in `thinmark'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
/usr/lib/ruby/1.8/benchmark.rb:307:in `realtime'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:413:in `thinmark'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:142:in `evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `each'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:144:in `apply'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:152:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:175:in `benchmark'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
/usr/lib/ruby/1.8/benchmark.rb:307:in `realtime'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:174:in `benchmark'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:151:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/1.8/sync.rb:229:in `synchronize'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:103:in `with_client'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `call'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `controlled_run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime'
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:300:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:397:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:300:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:55:in `execute'
/usr/bin/puppet:4
err: /Stage[main]/Common::Base_socram/ssh_authorized_key...@myserver]: Could
not evaluate: Puppet::Util::FileType::FileTypeFlat could not write
/home/socadm/.ssh/authorized_keys: Permission denied -
/home/socadm/.ssh/authorized_keys
[...]
----------------------------------------
Bug #4267: ssh_authorized_users tries to save to local filebucket as non-root
user
http://projects.puppetlabs.com/issues/4267
Author: Jim Bala
Status: Closed
Priority: Normal
Assignee:
Category:
Target version: 2.6.2
Affected version: 2.6.0
Keywords: ssh_authorized_keys
filebucket
clientbucketdir
Puppet::Util::SUIDManager
Branch: http://github.com/jes5199/puppet/tree/ticket/2.6.x/4267
Full path:
/usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb
Issue:
Filebucketing is being done with euid set to the user
that owns the authorized_keys file, which means it fails since a
normal user could never write to /var/lib/puppet.
I don't know enough ruby to be more detailed than that.
The original line 64 in the file above is:
Puppet::Util::SUIDManager.asuser(@resource.should(:user)) { super }
The equivalent line didn't work in 0.25.4 or 0.25.5 and it still
doesn't work in 2.6.0rc3 (RHEL5.5, rpm from tmz.fedoraproject.org).
If I replace line 64 with the following line, it all works nicely.
Puppet::Util::SUIDManager.asuser('root') { super }
Here's the (sanitized) debug/trace output from puppetd -d:
<pre>
notice:
/Stage[main]//Sshuser[someuser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]/ensure:
created
debug: Flushing ssh_authorized_key provider target
/home/someuser/.ssh/authorized_keys
info: FileBucket got a duplicate file
/home/someuser/.ssh/authorized_keys
({md5}d41d8cd98f00b204e9800998ecf8427e)
err:
/Stage[main]//Sshuser[someuser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]:
Could not evaluate: Could not back up
/home/someuser/.ssh/authorized_keys: Permission denied -
/var/lib/puppet/clientbucket/d/4/1/d/8/c/d/9/d41d8cd98f00b204e9800998ecf8427e/paths
notice:
/Stage[main]//Sshuser[otheruser]/Ssh::Auth::key[[email protected]]/ssh_auth_key_server[[email protected]]/ssh_authorized_key[[email protected]]/ensure:
created
debug: Flushing ssh_authorized_key provider target
/home/someuser/.ssh/authorized_keys
/usr/lib/ruby/1.8/fileutils.rb:1404:in `stat'
/usr/lib/ruby/1.8/fileutils.rb:1404:in `fu_same?'
/usr/lib/ruby/1.8/fileutils.rb:1378:in `fu_each_src_dest'
/usr/lib/ruby/1.8/fileutils.rb:1395:in `fu_each_src_dest0'
/usr/lib/ruby/1.8/fileutils.rb:1377:in `fu_each_src_dest'
/usr/lib/ruby/1.8/fileutils.rb:382:in `cp'
/usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:109:in `write'
/usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `real_write'
/usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:56:in `write'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:95:in `flush_target'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:69:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `each'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:67:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:339:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:64:in
`flush'
/usr/lib/ruby/site_ruby/1.8/puppet/util/suidmanager.rb:62:in `asuser'
/usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:64:in
`flush'
/usr/lib/ruby/site_ruby/1.8/puppet/type.rb:628:in `flush'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:93:in
`evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:49:in `apply'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:114:in
`eval_children_and_apply_resource'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:92:in `eval_resource'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:143:in `evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:414:in `thinmark'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
/usr/lib/ruby/1.8/benchmark.rb:307:in `realtime'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:413:in `thinmark'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:142:in `evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `each'
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `evaluate'
/usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:144:in `apply'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:152:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:175:in `benchmark'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
/usr/lib/ruby/1.8/benchmark.rb:307:in `realtime'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:174:in `benchmark'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:151:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/1.8/sync.rb:229:in `synchronize'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:101:in `with_client'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `call'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `controlled_run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime'
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:398:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run'
/usr/sbin/puppetd:4
</pre>
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
