For what it's worth, this kind of explains why this is broken on 10.6 http://www.opensource.apple.com/source/samba/samba-235/patches/support-darwin-initgroups-syscall
+ /* The Darwin groups implementation is a little unusual. The list of + * groups in the kernel credential is not exhaustive, but rather is a + * cache. The full group list is held in userspace and checked on + * dynamically. + * This is an optional mechanism, and setgroups(2) opts out + * of it. That is, if you call setgroups, then the list of groups you + * set are the only groups that are ever checked. This is not what we + * want. We want to opt in to the dynamic resolution mechanism, so we + * need to specify the uid of the user whose group list (cache) we are + * setting. + * + * The Darwin rules are: + * 1. Thou shalt setegid, initgroups and seteuid IN THAT ORDER + * 2. Thou shalt not pass more that NGROUPS_MAX to initgroups + * 3. Thou shalt leave the first entry in the groups list well alone + */ I'll keep bugging Apple to fix it so we can hopefully remove all these nasty hacks. On Fri, Mar 26, 2010 at 4:04 PM, Nigel Kersten <[email protected]> wrote: > > Signed-off-by: Nigel Kersten <[email protected]> > --- > lib/puppet/util/suidmanager.rb | 15 ++++++++++++++- > 1 files changed, 14 insertions(+), 1 deletions(-) > > diff --git a/lib/puppet/util/suidmanager.rb b/lib/puppet/util/suidmanager.rb > index a0a9178..99ed3a4 100644 > --- a/lib/puppet/util/suidmanager.rb > +++ b/lib/puppet/util/suidmanager.rb > @@ -9,12 +9,25 @@ module Puppet::Util::SUIDManager > to_delegate_to_process = [ :euid=, :euid, :egid=, :egid, > :uid=, :uid, :gid=, :gid, :groups=, :groups ] > > + if Facter.value('kernel') == 'Darwin' > + Facter.loadfacts > + osx_maj_ver = Facter.value('macosx_productversion_major') > + raise Puppet::Error, "OS X requires Facter >= 1.5.5" if > osx_maj_ver.nil? > + # Process.groups= broken on 10.6 http://openradar.appspot.com/7791698 > + if osx_maj_ver == '10.6' > + to_delegate_to_process.delete(:groups=) > + def self.groups=(grouplist) > + return true > + end > + end > + end > + > to_delegate_to_process.each do |method| > def_delegator Process, method > module_function method > end > > - if Facter['kernel'].value == 'Darwin' > + if Facter.value('kernel') == 'Darwin' and osx_maj_ver == '10.4' > # Cannot change real UID on Darwin so we set euid > alias :uid :euid > alias :gid :egid > -- > 1.7.0.3 > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > -- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
