Issue #10850 has been updated by Stefan Schulte.

If a parsed file resource is out of sync, puppet performs the necessary changes 
in memory and when flush is called, it rewrites all files that actually need 
modification.

In case of the ssh_authorized_key provider the flush method is called as an 
unprivileged user (the user that is mentioned with the user parameter of the 
resource; this is because of the CVE). This works in most cases (adding new 
key, changing a key etc) but it fails if the target property is out sync. In 
the latter case puppet needs to move one record from one target to another. 
When flush is called, puppet now has to rewrite two files:

- rewrite the file where the key was added (owned by our user -> works)
- rewrite the file where the key was removed (most likely not owned by our user 
-> fails)
----------------------------------------
Bug #10850: ssh_authorized_key doing the wrong thing
https://projects.puppetlabs.com/issues/10850

Author: Ashley Penney
Status: Accepted
Priority: Urgent
Assignee: Matt Robinson
Category: ssh
Target version: 
Affected Puppet version: 2.7.6
Keywords: 
Branch: 


Backstory - I cut and paste my ssh_authorized_key statement to make another 
user's key.  I changed the title of the resource and the actual key but forgot 
to change the 'target =>' setting.  This then tried to update apenney instead 
of jthompson.  I tried to correct this and now puppet errors constantly and as 
you can see from below it's trying to write to the old target not the new 
target.

    notice: /Stage[main]/Users/User[jthompson]/ensure: created
    notice: /Stage[main]/Users/Ssh_authorized_key[jthompson]/user: user changed 
'apenney' to 'jthompson'
    notice: /Stage[main]/Users/Ssh_authorized_key[jthompson]/target: target 
changed '/home/apenney/.ssh/authorized_keys' to 
'/home/jthompson/.ssh/authorized_keys'
    err: /Stage[main]/Users/Ssh_authorized_key[jthompson]: Could not evaluate: 
Puppet::Util::FileType::FileTypeFlat could not write 
/home/apenney/.ssh/authorized_keys: Permission denied - 
/home/apenney/.ssh/authorized_keys


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to