Try the dev group ;) You have far better chances getting an answer from
there.
Silviu
On 25.11.2009 11:35, symfrog wrote:
> Puppet custom functions and user permissions
>
> I am busy writing a custom function to automatically add OSSEC agents
> to a OSSEC server after installation. Unfortunately, it seems that
> puppetmasterd is not respecting the entries in /etc/group in linux. No
> matter how many other groups the puppet user has been added to in /etc/
> group, when puppetmasterd runs the custom function the effective/real
> user always only has the puppet group.
>
> An example:
>
> module Puppet::Parser::Functions
> newfunction(:ossec_client_key, :type => :rvalue) do |args|
> # Check if key for the fqdn already exists
> fqdn = lookupvar('fqdn')
> ip = lookupvar('ipaddress')
>
> fout = File.open("/home/puppet/ossec_client_key.log", 'w')
> fout.puts "ossec_client_key executed with: " + fqdn + ":" + ip
>
> userid = `id`
> fout.puts "Shell commands run as: " + userid
> fout.puts "Ruby effective uid: " + Process.euid.to_s
>
> key = `cat /var/ossec/etc/client.keys | egrep #{fqdn}`
> fout.puts File.executable?("/var/ossec/contrib/ossec-batch-
> manager.pl")
> fout.close
>
> # If it does not exist add the fqdn to ossec with ip
> if($? != 0)
> output = `/var/ossec/contrib/ossec-batch-manager.pl -a -n #{fqdn} -
> ip #{ip}`
> end
>
> # Now extract the key for the fqdn from ossec
> agent_id = `cat /var/ossec/etc/client.keys | egrep #{fqdn} | awk
> '{print $1}'`
> key = `/var/ossec/contrib/ossec-batch-manager.pl -e #{agent_id}`
>
> if($? != 0)
> raise Puppet::ParseError, "Could not retrieve key for:" + fqdn
> end
>
>
> return key
> end
> end
>
> Output in ossec_client_key.log:
>
> Shell commands run as: uid=1004(puppet) gid=1002(puppet) groups=0
> (root)
> Ruby effective uid: 1004
> false
>
>
> When I run the same command directly via ruby using:
>
> sudo -u puppet ruby ...
>
> I get:
>
> Shell commands run as: uid=1004(puppet) gid=1002(puppet) groups=1001
> (ossec),1002(puppet)
> Ruby effective uid: 1004
> true
>
>
> Is this a bug or intended behaviour? If it is intended behaviour can
> anyone explain why?
>
> Thanks
>
> --
>
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
