Jira (PDB-2590) /sbin/puppetdb ssl-setup breaks file permissions on /etc/puppetdb/conf.d/jetty.ini

13 views
Skip to first unread message

Robert Heinzmann (JIRA)

unread,
Apr 7, 2016, 3:16:02 AM4/7/16
to puppe...@googlegroups.com
Robert Heinzmann created an issue
 
PuppetDB / Bug PDB-2590
/sbin/puppetdb ssl-setup breaks file permissions on /etc/puppetdb/conf.d/jetty.ini
Issue Type: Bug Bug
Affects Versions: PDB 2.3.8
Assignee: Unassigned
Attachments: fix_permissions_puppetdb_setupssl.txt
Created: 2016/04/07 12:15 AM
Environment:

[rbhe@puppet ~]$ rpm -qa | grep puppetdb
puppetdb-terminus-2.3.8-1.el7.noarch
puppetdb-2.3.8-1.el7.noarch
Priority: Normal Normal
Reporter: Robert Heinzmann

The package "puppetdb" creates template /etc/puppetdb/conf.d/jetty.ini with proper permissions of puppetdb:puppetdb.

When running /sbin/puppetdb ssl-setup the file permissions change to "root" "root". If your umask is restrictive (e.g. 027) puppetdb start failes.

The attached fix keeps the original file permissions initially set via rpm:

{{--- /usr/libexec/puppetdb/puppetdb-ssl-setup.ORG 2015-10-14 00:23:52.000000000 +0200
+++ /usr/libexec/puppetdb/puppetdb-ssl-setup 2016-04-07 09:04:05.218000000 +0200
@@ -98,6 +98,8 @@
backupfile $3
tmp=$3.tmp.`date +%s`
sed "s/$1/$(echo $2 | sed -e 's/[\/&]/
&/g')/g" $3 > $tmp
+ chown --reference $3 $tmp
+ chmod --reference $3 $tmp
mv $tmp $3
}

@@ -114,6 +116,8 @@
backupfile $2
tmp=$2.tmp.`date +%s`
sed "/$1/ s/^/# /" $2 > $tmp
+ chown --reference $2 $tmp
+ chmod --reference $2 $tmp
mv $tmp $2
}

@@ -131,6 +135,8 @@
tmp=$2.tmp.`date +%s`
cat $2 > $

{tmp}
echo $1 >> ${tmp}

+ chown --reference $2 $tmp
+ chmod --reference $2 $tmp
mv $

{tmp}

$2
}}}
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9)
Atlassian logo

Robert Heinzmann (JIRA)

unread,
Apr 7, 2016, 3:16:04 AM4/7/16
to puppe...@googlegroups.com
Robert Heinzmann updated an issue
Change By: Robert Heinzmann

Robert Heinzmann (JIRA)

unread,
Apr 7, 2016, 3:17:04 AM4/7/16
to puppe...@googlegroups.com
Robert Heinzmann updated an issue
The package "puppetdb" creates template /etc/puppetdb/conf.d/jetty.ini with proper permissions of puppetdb:puppetdb. 

When running /sbin/puppetdb ssl-setup the file permissions change to "root" "root". If your umask is restrictive (e.g. 027) puppetdb start failes. 

The attached fix keeps the original file permissions initially set via rpm : .  

 {{--- /usr/libexec/puppetdb/puppetdb-ssl-setup.ORG        2015-10-14 00 Another note : 23:52.000000000 +0200

+++ /usr/libexec/puppetdb/puppetdb-ssl-setup    2016-04-07 09:04:05.218000000 +0200
@@ -98,6 +98,8 @@
   backupfile $3
   tmp=$3.tmp.`date +%s`
   sed "s/$1/$(echo $2 | sed -e 's/[\/  commands should be chained with & ]/\\ & /g')/g  to avoid creating "  $3 > $tmp

+  chown --reference $3 $tmp
+  chmod --reference $3 $tmp
   mv $tmp $3
 }

@@ -114,6 +116,8 @@
   backupfile $2
   tmp=$2.tmp.`date +%s`
   sed broken  " /$1/ s/^/# /" $2 > $tmp

+  chown --reference $2 $tmp
+  chmod --reference $2 $tmp
   mv $tmp $2
 }

@@ -131,6 +135,8 @@
   tmp=$2  config files . tmp.`date +%s`

   cat $2 > ${tmp}
   echo $1 >> ${tmp}
+  chown --reference $2 $tmp
+  chmod --reference $2 $tmp
   mv ${tmp} $2

}}

Rob Browning (Jira)

unread,
Apr 15, 2021, 12:29:03 PM4/15/21
to puppe...@googlegroups.com
Rob Browning updated an issue
Change By: Rob Browning
Story Points: 2
Team: HA
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo

Rob Browning (Jira)

unread,
Apr 15, 2021, 12:30:04 PM4/15/21
to puppe...@googlegroups.com
Rob Browning updated an issue
Change By: Rob Browning
Sprint: HAHA/Grooming

Frédéric Lespez

unread,
Apr 30, 2021, 9:52:02 AM4/30/21
to puppe...@googlegroups.com
Frédéric Lespez commented on Bug PDB-2590
 
Re: /sbin/puppetdb ssl-setup breaks file permissions on /etc/puppetdb/conf.d/jetty.ini

Seeing this bug since PDB 6.15 on Debian Buster. I have never seen it before.

Running puppetdb ssl-setup -f also changes the permissions of the jetty.ini file from 644 to 640 which prevents PuppetDB to start.

Before running puppetdb ssl-setup -f:

# ls -l /etc/puppetlabs/puppetdb/conf.d/jetty.ini-rw-r--r-- 1 root root 2554 mars  27 17:18 /etc/puppetlabs/puppetdb/conf.d/jetty.ini

After running puppetdb ssl-setup -f:

# ls -l /etc/puppetlabs/puppetdb/conf.d/jetty.ini-rw-r----- 1 root root 2592 mars  27 17:19 /etc/puppetlabs/puppetdb/conf.d/jetty.ini

 

 

Austin Blatt (Jira)

unread,
May 5, 2021, 2:47:04 PM5/5/21
to puppe...@googlegroups.com
Austin Blatt updated an issue
 
Change By: Austin Blatt
Sprint: HAHA/Grooming HA 2020-05-19

Rob Browning (Jira)

unread,
May 14, 2021, 12:16:04 PM5/14/21
to puppe...@googlegroups.com
Rob Browning assigned an issue to Rob Browning
Change By: Rob Browning
Assignee: Rob Browning

Rob Browning (Jira)

unread,
May 21, 2021, 2:54:01 PM5/21/21
to puppe...@googlegroups.com
Rob Browning updated an issue
Change By: Rob Browning
Fix Version/s: PDB 6.16.2
Fix Version/s: PDB 7.3.2

Rob Browning (Jira)

unread,
May 21, 2021, 2:58:02 PM5/21/21
to puppe...@googlegroups.com
Rob Browning updated an issue
Change By: Rob Browning
Release Notes: Security Fix
Release Notes Summary: The ssl-setup command (which is also invoked by the PuppetDB package installation scripts) should handle ssl-related filesystem permissions more carefully.  Previously it might reset them when it shouldn't have, and/or leave them briefly with incorrect, potentially overly permissive values.

Zachary Kent (Jira)

unread,
May 21, 2021, 3:50:02 PM5/21/21
to puppe...@googlegroups.com
Zachary Kent updated an issue
Change By: Zachary Kent
Fix Version/s: PDB 7.3.2
Fix Version/s: PDB 7.4.0
Reply all
Reply to author
Forward
0 new messages