Issue #20001 has been updated by James Shubin.
Okay update: I was really tired last night, the correct hack is:
<pre>
exec { "/bin/chmod g+s ${dir}":
onlyif => "/usr/bin/test -d '${dir}' && /usr/bin/test ! -g '${dir}'",
require => File["${dir}"],
}
</pre>
----------------------------------------
Bug #20001: File type can't only use setgid for directory, and skip over files
https://projects.puppetlabs.com/issues/20001#change-87872
* Author: James Shubin
* Status: Unreviewed
* Priority: High
* Assignee:
* Category:
* Target version:
* Affected Puppet version:
* Keywords:
* Branch:
----------------------------------------
<pre>
Given a directory:
$dir = '/some/dir/'
You may wish to recursively ensure a certain mode such as: u=rw,g=r
As you all know, this cleverly adds +x to directories, but not to files. (good!)
You may also decide that you'd like to setgid (+s) for the directory...
File { "${dir}":
mode => 'u=rw,g=rs,o=r',
recurse => true,
}
... but NOT for it's contents.
These two semantics are very different, since setgid for a directory, ensures
new files/dirs have the group you want, however adding this to an executable
file can be quite dangerous!
You can't do this:
File { "${dir}":
mode => 'u=rw,g=r,o=r',
recurse => true,
}
File { "${dir}":
mode => 'g+s',
recurse => false,
}
because that's a duplicate definition.
So: by default, I think:
1) +s for g should act like +x currently does (except opposite) -- for +s only
apply it to the directory, even when recurse is true.
2) If some flag like recurse_setgid => true, then you can recursively add the +s
I marked this as high, because I think the current behaviour is very dangerous.
Note: in the interim, I suppose you could cheat and run an exec { "chmod g+s
${dir}":}
I stumbled upon this problem when I realized setgid is a useful property to add
to /etc/puppet/, but not for /etc/puppet/files/*
James
</pre>
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
