I'm fairly new to Solaris, SMF, and RBAC, so please forgive me if I'm missing
the obvious.
I'm currently running puppetd, a Ruby based systems configuration management
tool which amongst other things manages files, configurations, and system
packages using solaris native pkgadd and pkgrm tools. I've got it configured as
a service controlled via SMF running as role 'puppetd', as I don't want to run
it as root. I can control the program startup/shutdown just fine using svcadm
and have no problems with SMF.
The problem I'm experiencing is that when the service 'puppetd' tries to run
pkgadd to install new packages, I get the following error in /var/adm/messages:
pkgadd: ERROR: You must be "root" for pkgadd to execute properly.
>From what I can gather, ruby spawns system commands in the following manner:
# ps -ef | grep puppetd
puppetd 22324 22294 0 14:33:43 ? 0:00 sh -c /usr/bin/pkginfo -l
CSCOruby 2>&1
puppetd 22325 22324 2 14:33:43 ? 0:00 /usr/bin/pkginfo -l CSCOruby
puppetd 22294 1628 0 14:33:42 ? 0:00 /opt/csw/bin/ruby
/opt/local/bin/puppetd --confdir=/opt/local/etc/puppet
puppetd 19726 18833 0 13:09:18 pts/7 0:00 -bash
I was assuming that any processes started by the role 'puppetd' would be
executed under it's security context. However, it appears that the security
context is only evaluated when run through an RBAC aware shell...
If I log into the system and assume the role puppetd, I can get pkgadd to
execute if I do the following:
Set my shell to pfsh and execute: /usr/sbin/pkgadd
- or -
execute: pfexec /usr/sbin/pkgadd
If my default shell is pfsh, and I start bash, then try to run pkgadd, I get
the same 'You must be root' error message.
Not sure if I just have the RBAC configuration wrapped around the axle, if
there's something else the Ruby script needs to do in order to get processes it
spawns to be evaluated under the owners security context (e.g. run pfexec or
pfsh), or if this is just not possible...
Any hints would be most appreciated...
Here are some pertinent details:
/etc/paswd
puppetd:x:103:103::/opt/local/var/puppet:/bin/pfsh
/etc/user_attr:
puppetd::::type=role;profiles=System Administrator,Software Installation
SMF for puppetd:
<exec_method
type='method'
name='start'
exec='/usr/bin/pfexec /opt/local/lib/svc/method/svc-puppetd
start'
timeout_seconds='60'>
<method_context>
<method_credential user='puppetd' group='puppetd' />
<method_environment>
<envvar name='HOME'
value='/opt/local/var/puppet'/>
<envvar name='SHELL' value='/bin/pfsh'/>
</method_environment>
</method_context>
</exec_method>
This message posted from opensolaris.org
