Seems correct, but this whole problem space is messy enough that real- world testing matters most, I think.
On Oct 8, 2009, at 10:03 PM, James Turnbull wrote: > > Patch thanks to Till Maas > > Signed-off-by: James Turnbull <[email protected]> > --- > lib/puppet/util.rb | 5 +++-- > lib/puppet/util/suidmanager.rb | 12 +++++++++++- > 2 files changed, 14 insertions(+), 3 deletions(-) > > diff --git a/lib/puppet/util.rb b/lib/puppet/util.rb > index e1e6992..28a2599 100644 > --- a/lib/puppet/util.rb > +++ b/lib/puppet/util.rb > @@ -55,10 +55,11 @@ module Util > end > unless Puppet::Util::SUIDManager.uid == user > begin > + Puppet::Util::SUIDManager.initgroups(user) > Puppet::Util::SUIDManager.uid = user > Puppet::Util::SUIDManager.euid = user > - rescue > - $stderr.puts "could not change to user %s" % user > + rescue => detail > + $stderr.puts "Could not change to user %s: %s" > % [user, detail] > exit(74) > end > end > diff --git a/lib/puppet/util/suidmanager.rb b/lib/puppet/util/ > suidmanager.rb > index c5df0d1..a0a9178 100644 > --- a/lib/puppet/util/suidmanager.rb > +++ b/lib/puppet/util/suidmanager.rb > @@ -7,7 +7,7 @@ module Puppet::Util::SUIDManager > extend Forwardable > > to_delegate_to_process = [ :euid=, :euid, :egid=, :egid, > - :uid=, :uid, :gid=, :gid ] > + > :uid > =, :uid, :gid=, :gid, :groups=, :groups ] > > to_delegate_to_process.each do |method| > def_delegator Process, method > @@ -26,13 +26,16 @@ module Puppet::Util::SUIDManager > # We set both because some programs like to drop privs, i.e. > bash. > old_uid, old_gid = self.uid, self.gid > old_euid, old_egid = self.euid, self.egid > + old_groups = self.groups > begin > self.egid = convert_xid :gid, new_gid if new_gid > + self.initgroups(convert_xid(:uid, new_uid)) if new_uid > self.euid = convert_xid :uid, new_uid if new_uid > > yield > ensure > self.euid, self.egid = old_euid, old_egid > + self.groups = old_groups > end > end > module_function :asuser > @@ -49,6 +52,13 @@ module Puppet::Util::SUIDManager > end > module_function :convert_xid > > + # Initialize supplementary groups > + def initgroups(user) > + require 'etc' > + Process.initgroups(Etc.getpwuid(user).name, Process.gid) > + end > + > + module_function :initgroups > > def run_and_capture(command, new_uid=nil, new_gid=nil) > output = Puppet::Util.execute(command, :failonfail => > false, :uid => new_uid, :gid => new_gid) > -- > 1.6.0.6 > > > --~--~---------~--~----~------------~-------~--~----~ > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en > -~----------~----~----~----~------~----~------~--~--- > -- To have a right to do a thing is not at all the same as to be right in doing it. -- G. K. Chesterton --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=.
