Issue #8986 has been updated by Daniel Pittman.
After looking at the options around this, the security issues involved, and the documentation, my proposal is that we will merge the change proposed by Ricky Zhou, which will result in *all* the file operations being performed with the privileges of the target user. For the most common situations this is the correct behaviour, and for most uncommon situations the behaviour of setting `user => 'root'` should take care of things; OpenSSH accepts root ownership of the authorized_keys file. For situations where other behaviour is required - user owned, but not in a user writable directory, fundamentally - I am going to recommend using a simple file command to install the file with the required content. Unless we here objections this will probably be implemented next Friday as proposed. ---------------------------------------- Bug #8986: ssh_authorized_key not setting user permissions in the proper manner. https://projects.puppetlabs.com/issues/8986 Author: Trevor Vaughan Status: In Topic Branch Pending Merge Priority: Normal Assignee: Kelsey Hightower Category: ssh Target version: Affected Puppet version: 2.7.3 Keywords: Branch: https://github.com/khightower/puppet/commits/bug/master/8986 In the olden days, ssh_authorized_key, when provided with the 'user' option, would simply set the ownership of the key to that user. This worked as I expected. Now, the ssh_authorized_key type appears to try to write the file *as* the user. This is incorrect since you may, or may not, be writing the key to somewhere that the user is allowed write access. To work around this problem, you need to declare a file statement for every ssh_authorized_key statement which is cumbersome. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
