Issue #14283 has been updated by Stefan Schulte. Assignee set to Ben Hughes
Maybe puppet has some problems changing the user context. Puppet will not only switch the euid but also the groups (http://puppetlabs.com/security/cve/cve-2012-1053). I guess that solaris only allows cron for the members of the `cron` group is that correct? Maybe this is dropped somewhere? It would be interesting to verify that it's a group membership issue (I was not able to reproduce the issue on linux and with an unpriviledged user running puppet) so can you reverse your "fix" and try if the following does work: <pre> diff --git a/lib/puppet/util/suidmanager.rb b/lib/puppet/util/suidmanager.rb index f270c40..aa527ed 100644 --- a/lib/puppet/util/suidmanager.rb +++ b/lib/puppet/util/suidmanager.rb @@ -160,7 +160,7 @@ module Puppet::Util::SUIDManager # if used without root to initgroups of another user. def initgroups(uid) pwent = Etc.getpwuid(uid) - Process.initgroups(pwent.name, pwent.gid) +# Process.initgroups(pwent.name, pwent.gid) end </pre> ---------------------------------------- Bug #14283: Solaris 11 cron provider oddities https://projects.puppetlabs.com/issues/14283#change-63305 Author: Ben Hughes Status: Investigating Priority: Normal Assignee: Ben Hughes Category: cron Target version: Affected Puppet version: Keywords: solaris cron Branch: # Overview # Solaris 11/Sparc with Puppet 2.7.14ish (a47c42d6b9c7ed6022b0e7d37505b0c694a5b8d2). The Cron provider doesn't appear to actually provide multiple crons.. # Expected Behaviour # Crontab contains all the correct cron entries from say: <pre> cron{ 'zfs_scrubber': command => 'for x in $( zpool list -H | cut -f 1 ); do zpool scrub "${x}" ; done', user => 'root', environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin', hour => '3', minute => '33', weekday => '6', } </pre> # Actual Behaviour # <pre> [root@mundilfari:/var]# crontab -l root # HEADER: This file was autogenerated at Wed Apr 25 19:10:12 -0700 2012 by puppet. # HEADER: While it can still be managed manually, it is definitely not recommended. # HEADER: Note particularly that the comments starting with 'Puppet Name' should # HEADER: not be deleted, as doing so could cause duplicate cron jobs. #ident "%Z%%M% %I% %E% SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # The root crontab should be used to perform accounting data collection. # # 10 3 * * * /usr/sbin/logadm 15 3 * * 0 [ -x /usr/lib/fs/nfs/nfsfind ] && /usr/lib/fs/nfs/nfsfind 30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean # Puppet Name: puppet agent 42 * * * * /opt/csw/bin/puppet agent --onetime --no-daemonize >/dev/null </pre> Now I run puppet on said host: <pre> [root@mundilfari:/var]# time puppet agent -t --environment solarisnagios info: Retrieving plugin info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb info: Caching catalog for mundilfari.example.org info: Applying configuration version '460d9de' notice: /Stage[main]/Zfs::Scrubber/Cron[zfs_scrubber]/ensure: created # HEADER: This file was autogenerated at Wed May 02 13:36:28 -0700 2012 by puppet. # HEADER: While it can still be managed manually, it is definitely not recommended. # HEADER: Note particularly that the comments starting with 'Puppet Name' should # HEADER: not be deleted, as doing so could cause duplicate cron jobs. #ident "%Z%%M% %I% %E% SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # The root crontab should be used to perform accounting data collection. # # 10 3 * * * /usr/sbin/logadm 15 3 * * 0 [ -x /usr/lib/fs/nfs/nfsfind ] && /usr/lib/fs/nfs/nfsfind 30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean # Puppet Name: puppet agent 42 * * * * /opt/csw/bin/puppet agent --onetime --no-daemonize >/dev/null # Puppet Name: zfs_scrubber PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin 33 3 * * 6 for x in $( zpool list -H | cut -f 1 ); do zpool scrub "${x}" ; done notice: It is highly recommended that you set 'wgetopts=-nv' in your pkgutil.conf. notice: /Stage[main]/Zfs::Snapshots/Cron[zfs weekly snapshot]/ensure: created # HEADER: This file was autogenerated at Wed May 02 13:36:57 -0700 2012 by puppet. # HEADER: While it can still be managed manually, it is definitely not recommended. # HEADER: Note particularly that the comments starting with 'Puppet Name' should # HEADER: not be deleted, as doing so could cause duplicate cron jobs. #ident "%Z%%M% %I% %E% SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # The root crontab should be used to perform accounting data collection. # # 10 3 * * * /usr/sbin/logadm 15 3 * * 0 [ -x /usr/lib/fs/nfs/nfsfind ] && /usr/lib/fs/nfs/nfsfind 30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean # Puppet Name: puppet agent 42 * * * * /opt/csw/bin/puppet agent --onetime --no-daemonize >/dev/null # Puppet Name: zfs_scrubber PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin 33 3 * * 6 for x in $( zpool list -H | cut -f 1 ); do zpool scrub "${x}" ; done # Puppet Name: zfs weekly snapshot PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin 15 2 * * 0 /usr/local/bin/zfs-snapshot.rb -r -c 5 -s weekly notice: /Stage[main]/Zfs::Snapshots/Cron[zfs hourly snapshot]/ensure: created notice: Finished catalog run in 97.97 seconds </pre> I actually snipped a few there, as it was getting lengthy... But now we run crontab -l root and get... <pre> [root@mundilfari:/var]# crontab -l root # HEADER: This file was autogenerated at Wed Apr 25 19:10:12 -0700 2012 by puppet. # HEADER: While it can still be managed manually, it is definitely not recommended. # HEADER: Note particularly that the comments starting with 'Puppet Name' should # HEADER: not be deleted, as doing so could cause duplicate cron jobs. #ident "%Z%%M% %I% %E% SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # The root crontab should be used to perform accounting data collection. # # 10 3 * * * /usr/sbin/logadm 15 3 * * 0 [ -x /usr/lib/fs/nfs/nfsfind ] && /usr/lib/fs/nfs/nfsfind 30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean # Puppet Name: puppet agent 42 * * * * /opt/csw/bin/puppet agent --onetime --no-daemonize >/dev/null </pre> So where did they go?! # Detail # So the cronjob, at least as far as my Solaris-fu is concerned, doesn't appear to exist. <pre> [root@mundilfari:~]# gfind /etc /var -xdev -type f -print0 | xargs -0 ggrep -il zfs_scrubber /var/lib/puppet/client_yaml/catalog/mundilfari.dc1.puppetlabs.net.yaml /var/lib/puppet/state/resources.txt /var/lib/puppet/state/state.yaml /var/lib/puppet/state/last_run_report.yaml /var/adm/messages /var/adm/messages.0 </pre> # Work Around # Not use Solaris. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
