Jira (PUP-6936) unable to read last_run_summary.yaml from user

[Daniele Palumbo (JIRA)]

Daniele Palumbo created an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user Issue Type: Bug Affects Versions: PUP 4.7.0 Assignee: Unassigned Created: 2016/11/18 7:09 PM Environment: Debian Jessie puppetlabs repository root@x:~# dpkg -l puppet Desired=Unknown/Install/Remove/Purge/Hold Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend / Err?=(none)/Reinst-required (Status,Err: uppercase=bad) / Name Version Architecture Description +++ ============== ============ ============ ================================= ii puppet 3.7.2-4 all configuration management system, root@x:~# Labels: puppet-agent Priority: Normal Reporter: Daniele Palumbo The last_run_summary.yaml is not readable by users. Based on old tickets: https://projects.puppetlabs.com/issues/15471, https://github.com/puppetlabs/puppet/commit/0f13cf5 Here is stated that the file read last_run_summary.yaml should be world readable. And currently the file is world readable. Evidence: root@x:~# ls -la /var/lib/puppet/state/last_run_summary.yaml rw-r r - 1 root root 736 Nov 19 03:44 /var/lib/puppet/state/last_run_summary.yaml root@x:~# https://tickets.puppetlabs.com/browse/PUP-3163, https://tickets.puppetlabs.com/browse/PUP-3156 Here is stated that the directory /var/lib/puppet/state/ and /var/lib/puppet/reports, need to be at least world readable. And currently that directory are world readable. Evidence: root@x:~# ls -la /var/lib/puppet/ total 60 drwxr-x--- 15 puppet puppet 4096 May 3 2016 . drwxr-xr-x 47 root root 4096 May 3 2016 .. drwxr-x--- 3 root root 4096 Nov 30 2014 client_data drwxr-x--- 3 root root 4096 Nov 25 2014 client_yaml drwxr-x--- 6 root root 4096 Jul 12 00:54 clientbucket drwxr-xr-x 4 root root 4096 Jan 27 2016 concat drwxr-xr-x 2 root root 4096 Nov 21 2014 facts drwxr-xr-x 2 root root 4096 Jun 6 13:18 facts.d drwxr-xr-x 8 root root 4096 Nov 19 02:17 lib drwxr-xr-x 2 root root 4096 Nov 25 2014 log drwxr-x--- 2 puppet puppet 4096 May 3 2016 preview drwxr-xr-x 2 puppet puppet 4096 Nov 28 2014 reports drwxrwxrwt 2 root root 4096 Nov 25 2014 run drwxrwx--x 7 puppet puppet 4096 Nov 28 2014 ssl drwxr-xr-t 3 puppet puppet 4096 Nov 19 03:43 state root@x:~# But as you can see above, the whole /var/lib/puppet is not world accessible nor readable. Based on that condition, /var/lib/puppet/state/last_run_report.yaml is not world readable. Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[Daniele Palumbo (JIRA)]

Daniele Palumbo updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Daniele Palumbo

The last_run_summary.yaml is not readable by users. Based on old tickets: https://projects.puppetlabs.com/issues/15471, https://github.com/puppetlabs/puppet/commit/0f13cf5 Here is stated that the file read last_run_summary.yaml should be world readable. And currently the file is world readable. Evidence: root@x:~# ls -la /var/lib/puppet/state/last_run_summary.yaml

-rw-r--r-- 1 root root 736 Nov 19 03:44 /var/lib/puppet/state/last_run_summary.yaml

root@x:~#  https://tickets.puppetlabs.com/browse/PUP-3163, https://tickets.puppetlabs.com/browse/PUP-3156 Here is stated that the directory /var/lib/puppet/state/ and /var/lib/puppet/reports, need to be at least world readable. And currently that directory are world readable. Evidence: root@x:~# ls -la /var/lib/puppet/ total 60

*drwxr-x--- 15 puppet puppet 4096 May  3  2016 .*

drwxr-xr-x 47 root   root   4096 May  3  2016 .. drwxr-x---  3 root   root   4096 Nov 30  2014 client_data drwxr-x---  3 root   root   4096 Nov 25  2014 client_yaml drwxr-x---  6 root   root   4096 Jul 12 00:54 clientbucket drwxr-xr-x  4 root   root   4096 Jan 27  2016 concat drwxr-xr-x  2 root   root   4096 Nov 21  2014 facts drwxr-xr-x  2 root   root   4096 Jun  6 13:18 facts.d drwxr-xr-x  8 root   root   4096 Nov 19 02:17 lib drwxr-xr-x  2 root   root   4096 Nov 25  2014 log drwxr-x---  2 puppet puppet 4096 May  3  2016 preview drwxr-xr-x  2 puppet puppet 4096 Nov 28  2014 reports drwxrwxrwt  2 root   root   4096 Nov 25  2014 run drwxrwx--x  7 puppet puppet 4096 Nov 28  2014 ssl drwxr-xr-t  3 puppet puppet 4096 Nov 19 03:43 state root@x:~# But as you can see above, the whole

*/var/lib/puppet*

is not world accessible nor readable. Based on that condition,  /var/lib/puppet/state/last_run_report.yaml is not world readable.

Setting  chmod +x /var/lib/puppet is sufficient to solve the problem. Running puppet agent -t do not revert the permission.

Add Comment

[Daniele Palumbo (JIRA)]

Daniele Palumbo updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user Change By: Daniele Palumbo

The last_run_summary.yaml is not readable by users.

Editing since the first publishing, because i have noticed that i have mixed puppetlabs packages and debian packages.

Based on old tickets: https://projects.puppetlabs.com/issues/15471, https://github.com/puppetlabs/puppet/commit/0f13cf5 Here is stated that the file read last_run_summary.yaml should be world readable. And currently the file is world readable

Evidence on puppetlabs package: root@x:~#  puppet config print lastrunreport /opt/puppetlabs/puppet/cache/state/last_run_report . yaml root@x:~# ls -la /opt/puppetlabs/puppet/cache/state/last_run_report.yaml -rw-r----- 1 root root 117739 Nov 19 10:54 /opt/puppetlabs/puppet/cache/state/last_run_report.yaml root@x:~#  Evidence  on debian package : root@x:~#  puppet config print lastrunreport /var/lib/puppet/state/last_run_report.yaml root@x:~#  ls -la /var/lib/puppet/state/ last_run_summary last_run_report .yaml -rw-r-- r -- -  1 root root  736  118278  Nov 19  03  11 : 44 03  /var/lib/puppet/state/ last_run_summary last_run_report .yaml

root@x:~#  https://tickets.puppetlabs.com/browse/PUP-3163, https://tickets.puppetlabs.com/browse/PUP-3156 Here is stated that the directory /var/lib/puppet/state/ and /var/lib/puppet/reports, need to be at least world readable. And currently that directory are world readable.

Evidence  on puppetlabs package : root@x: ~ /etc/puppetlabs/code/environments/development # ls - la lad  / var opt / lib puppetlabs /puppet/ total 60 * cache/state/  drwxr- x--- 15 puppet puppet 4096 May  3  2016 .* drwxr- xr- x 47 root   root   4096 May t   3   2016 .. drwxr-x---  3  root   root   4096 Nov  30  2014 client_data

drwxr-x---  3 root   root   4096 Nov 25  2014 client_yaml

drwxr-x---  6 root   root   4096 Jul 12 00  19 10 :54  clientbucket  /opt/puppetlabs/puppet/cache/state/ drwxr-xr-x  4  root    root   4096 Jan 27  2016 concat drwxr-xr- @ x   2 root   root   4096 Nov 21  2014 facts

drwxr-xr-x  2 root   root   4096 Jun  6 13

: 18 facts.d drwxr /etc/puppetlabs/code/environments/development# ls - xr-x  8 root   root   4096 Nov 19 02:17 lib lad /opt/puppetlabs/puppet/cache/        drwxr- xr- x   2 root   root   4096 Nov 25  2014 log drwxr - x -- -  2  10  puppet puppet 4096 May  3  2016  preview drwxr-xr-x  2  /opt/puppetlabs/  puppet  puppet 4096 Nov 28  2014 reports /cache/ drwxrwxrwt  2  root    root   4096 Nov 25  2014 run @x:/etc/puppetlabs/code/environments/development#  drwxrwx-- Evidence on debian package: rroot@ x   7 :~# ls -ld /var/lib/  puppet  puppet 4096 Nov 28  2014 ssl /state/ drwxr-xr-t  3 puppet puppet 4096 Nov 19  03  11 : 43 03 /var/lib/puppet/  state / root@x:~#

But as you can see above, the whole

*  ls -ld /var/lib/puppet * /       drwxr-x--- 9 puppet puppet 4096 May 16  2016 /var/lib/puppet/ is not world accessible nor readable. root@x:~#

Based on that condition,  /var/lib/puppet/state/last_run_report.yaml is not world readable. Setting  chmod +x /var/lib/puppet is sufficient to solve the problem. Running puppet agent -t do not revert the permission.

Add Comment

[Daniele Palumbo (JIRA)]

Daniele Palumbo updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user Change By: Daniele Palumbo

The last_run_summary.yaml is not readable by users. Editing since the first publishing, because i have noticed that i have mixed puppetlabs packages and debian packages. Based on old tickets: https://projects.puppetlabs.com/issues/15471, https://github.com/puppetlabs/puppet/commit/0f13cf5 Here is stated that the file read last_run_summary.yaml should be world readable.

Evidence on puppetlabs package: {code:java}

root@x:~#  puppet config print lastrunreport /opt/puppetlabs/puppet/cache/state/last_run_report.yaml root@x:~# ls -la /opt/puppetlabs/puppet/cache/state/last_run_report.yaml -rw-r----- 1 root root 117739 Nov 19 10:54 /opt/puppetlabs/puppet/cache/state/last_run_report.yaml root@x:~#

{code}

Evidence on debian package: root@x:~# puppet config print lastrunreport /var/lib/puppet/state/last_run_report.yaml

root@x:~# ls -la /var/lib/puppet/state/last_run_report.yaml -rw-r----- 1 root root 118278 Nov 19 11:03 /var/lib/puppet/state/last_run_report.yaml

root@x:~#  https://tickets.puppetlabs.com/browse/PUP-3163, https://tickets.puppetlabs.com/browse/PUP-3156 Here is stated that the directory /var/lib/puppet/state/ and /var/lib/puppet/reports, need to be at least world readable. And currently that directory are world readable. Evidence on puppetlabs package:

root@x:/etc/puppetlabs/code/environments/development# ls -lad /opt/puppetlabs/puppet/cache/state/  drwxr-xr-t 3 root root 4096 Nov 19 10:54 /opt/puppetlabs/puppet/cache/state/ root@x:/etc/puppetlabs/code/environments/development# ls -lad /opt/puppetlabs/puppet/cache/        drwxr-x--- 10 puppet puppet 4096 May  3  2016 /opt/puppetlabs/puppet/cache/ root@x:/etc/puppetlabs/code/environments/development#  Evidence on debian package: rroot@x:~# ls -ld /var/lib/puppet/state/ drwxr-xr-t 3 puppet puppet 4096 Nov 19 11:03 /var/lib/puppet/state/ root@x:~# ls -ld /var/lib/puppet/

drwxr-x--- 9 puppet puppet 4096 May 16  2016 /var/lib/puppet/

root@x:~#  Based on that condition,  /var/lib/puppet/state/last_run_report.yaml is not world readable.

Add Comment

[Daniele Palumbo (JIRA)]

Daniele Palumbo updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user Change By: Daniele Palumbo

The last_run_summary.yaml is not readable by users. Editing since the first publishing, because i have noticed that i have mixed puppetlabs packages and debian packages. Based on old tickets: https://projects.puppetlabs.com/issues/15471, https://github.com/puppetlabs/puppet/commit/0f13cf5 Here is stated that the file read last_run_summary.yaml should be world readable. Evidence on puppetlabs package: {code:java} root@x:~#  puppet config print lastrunreport /opt/puppetlabs/puppet/cache/state/last_run_report.yaml root@x:~# ls -la /opt/puppetlabs/puppet/cache/state/last_run_report.yaml -rw-r----- 1 root root 117739 Nov 19 10:54 /opt/puppetlabs/puppet/cache/state/last_run_report.yaml root@x:~#  {code} Evidence on debian package:

{code:java} root@ x y :~# puppet config print lastrunreport /var/lib/puppet/state/last_run_report.yaml root@ x y :~# ls -la /var/lib/puppet/state/last_run_report.yaml

-rw-r----- 1 root root 118278 Nov 19 11:03 /var/lib/puppet/state/last_run_report.yaml

root@ x y :~#  {code}

https://tickets.puppetlabs.com/browse/PUP-3163, https://tickets.puppetlabs.com/browse/PUP-3156 Here is stated that the directory /var/lib/puppet/state/ and /var/lib/puppet/reports, need to be at least world readable. And currently that directory are world readable. Evidence on puppetlabs package:

{code:java}

root@x:/etc/puppetlabs/code/environments/development# ls -lad /opt/puppetlabs/puppet/cache/state/  drwxr-xr-t 3 root root 4096 Nov 19 10:54 /opt/puppetlabs/puppet/cache/state/ root@x:/etc/puppetlabs/code/environments/development# ls -lad /opt/puppetlabs/puppet/cache/        drwxr-x--- 10 puppet puppet 4096 May  3  2016 /opt/puppetlabs/puppet/cache/ root@x:/etc/puppetlabs/code/environments/development#

{code} Evidence on debian package:

rroot {code:java} root @ x y :~# ls -ld /var/lib/puppet/state/

drwxr-xr-t 3 puppet puppet 4096 Nov 19 11:03 /var/lib/puppet/state/

root@ x y :~# ls -ld /var/lib/puppet/

drwxr-x--- 9 puppet puppet 4096 May 16  2016 /var/lib/puppet/

root@ x y :~#  {code}

Based on that condition,  /var/lib/puppet/state/last_run_report.yaml is not world readable.

Add Comment

[Daniele Palumbo (JIRA)]

Daniele Palumbo updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Daniele Palumbo Environment: Debian Jessie puppetlabs repository  and debian repository

root@x:~# dpkg -l puppet Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name           Version      Architecture Description

+++-==============-============-============-=================================

ii  puppet         3.7.2-4      all          configuration management system,  root@x:~#

Add Comment

[Daniele Palumbo (JIRA)]

Daniele Palumbo updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user Change By: Daniele Palumbo

The last_run_summary.yaml is not readable by users. Editing since the first publishing, because i have noticed that i have mixed puppetlabs packages and debian packages.

Detailed of packages installed:

Evidence on puppetlabs package: {code:java}

root@x:~# dpkg -l puppet-agent

Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name           Version      Architecture Description +++-==============-============-============-=================================

ii  puppet-agent   1.8.0-1jessi amd64        The Puppet Agent package contains

root@x:~#  {code} Evidence on debian package: {code:java}

root@y:~# dpkg -l puppet

Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name           Version      Architecture Description +++-==============-============-============-================================= ii  puppet         3.7.2-4      all          configuration management system,

root@y:~#  {code}

Based on old tickets: https://projects.puppetlabs.com/issues/15471, https://github.com/puppetlabs/puppet/commit/0f13cf5 Here is stated that the file read last_run_summary.yaml should be world readable. Evidence on puppetlabs package: {code:java} root@x:~#  puppet config print lastrunreport /opt/puppetlabs/puppet/cache/state/last_run_report.yaml root@x:~# ls -la /opt/puppetlabs/puppet/cache/state/last_run_report.yaml -rw-r----- 1 root root 117739 Nov 19 10:54 /opt/puppetlabs/puppet/cache/state/last_run_report.yaml root@x:~#  {code} Evidence on debian package: {code:java}

root@y:~# puppet config print lastrunreport /var/lib/puppet/state/last_run_report.yaml root@y:~# ls -la /var/lib/puppet/state/last_run_report.yaml

-rw-r----- 1 root root 118278 Nov 19 11:03 /var/lib/puppet/state/last_run_report.yaml

root@y:~#

{code} https://tickets.puppetlabs.com/browse/PUP-3163, https://tickets.puppetlabs.com/browse/PUP-3156 Here is stated that the directory /var/lib/puppet/state/ and /var/lib/puppet/reports, need to be at least world readable. And currently that directory are world readable. Evidence on puppetlabs package: {code:java} root@x:/etc/puppetlabs/code/environments/development# ls -lad /opt/puppetlabs/puppet/cache/state/  drwxr-xr-t 3 root root 4096 Nov 19 10:54 /opt/puppetlabs/puppet/cache/state/ root@x:/etc/puppetlabs/code/environments/development# ls -lad /opt/puppetlabs/puppet/cache/        drwxr-x--- 10 puppet puppet 4096 May  3  2016 /opt/puppetlabs/puppet/cache/ root@x:/etc/puppetlabs/code/environments/development#  {code} Evidence on debian package:

{code:java} root@y:~# ls -ld /var/lib/puppet/state/

drwxr-xr-t 3 puppet puppet 4096 Nov 19 11:03 /var/lib/puppet/state/

root@y:~# ls -ld /var/lib/puppet/

drwxr-x--- 9 puppet puppet 4096 May 16  2016 /var/lib/puppet/

root@y:~#

{code} Based on that condition,  /var/lib/puppet/state/last_run_report.yaml is not world readable.

Add Comment

[R.I.Pienaar (JIRA)]

R.I.Pienaar commented on PUP-6936

Re: unable to read last_run_summary.yaml from user last_run_report should not be readable, last_run_summary should but as you say, on puppet-agent packages: drwxr-x--- 14 root root 4096 Oct 31 22:59 /opt/puppetlabs/puppet/cache is the real problem preventing it

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza commented on PUP-6936

Re: unable to read last_run_summary.yaml from user

It appears this has been the case since the introduction of the puppet-agent package when these things moved under cache. It looks like it might go back further though, as in the last version shipped as the 'puppet' package (by Puppet that is), 3.8.7, the last_run_summary.yaml and its parent directory are world readable, but /var/lib/puppet isn't: [root@rhel7 puppet]# ls -l /var/lib ... drwxr-x---. 12 puppet puppet 4096 Oct 7 14:11 puppet ... [root@rhel7 puppet]# puppet --version 3.8.7 [root@rhel7 puppet]# ls -l /var/lib/puppet/ total 0 drwxr-x---. 2 root root 6 Oct 7 14:11 clientbucket drwxr-x---. 2 root root 6 Oct 7 14:11 client_data drwxr-x---. 2 root root 6 Oct 7 14:11 client_yaml drwxr-xr-x. 2 root root 6 Oct 7 14:11 facts.d drwxr-xr-x. 2 root root 6 Oct 7 14:11 lib drwxr-x---. 2 puppet puppet 6 Oct 7 14:11 preview drwxr-x---. 3 puppet puppet 30 Oct 7 14:11 reports drwxr-x---. 2 puppet puppet 6 Oct 7 14:11 rrd drwxrwx--x. 7 puppet puppet 96 Oct 7 14:11 ssl drwxr-xr-t. 3 puppet puppet 91 Oct 7 14:11 state [root@rhel7 puppet]# ls -l /var/lib/puppet/state/ total 16 drwxr-xr-x. 2 root root 6 Oct 7 14:11 graphs -rw-rw----. 1 root root 6900 Oct 7 14:11 last_run_report.yaml -rw-r--r--. 1 root root 455 Oct 7 14:11 last_run_summary.yaml -rw-rw----. 1 root root 3367 Oct 7 14:11 state.yaml puppet package in EPEL, meanwhile does not have this problem: [root@rhel7 ~]# ls -l /var/lib ... drwxr-xr-x. 11 puppet puppet 4096 Nov 21 16:18 puppet ... [root@rhel7 ~]# ls -l /var/lib/puppet total 0 drwxr-x---. 2 root root 6 Nov 21 16:18 clientbucket drwxr-x---. 2 root root 6 Nov 21 16:18 client_data drwxr-x---. 2 root root 6 Nov 21 16:18 client_yaml drwxr-xr-x. 2 root root 6 Nov 21 16:18 facts.d drwxr-xr-x. 2 root root 6 Nov 21 16:18 lib drwxr-xr-x. 3 root root 30 Nov 21 16:18 reports drwxr-x---. 2 puppet puppet 6 Nov 21 16:18 rrd drwxrwx--x. 7 puppet puppet 96 Nov 21 16:18 ssl drwxr-xr-t. 3 root root 91 Nov 21 16:18 state [root@rhel7 ~]# ls -l /var/lib/puppet/state total 16 drwxr-xr-x. 2 root root 6 Nov 21 16:18 graphs -rw-rw----. 1 root root 6909 Nov 21 16:18 last_run_report.yaml -rw-r--r--. 1 root root 465 Nov 21 16:18 last_run_summary.yaml -rw-rw----. 1 root root 3220 Nov 21 16:18 state.yaml This should get fixed IMO. With Puppet Agent we'll just want to make sure everything that lives in /opt/puppetlabs/puppet/cache is appropriately permissioned and not relying on that directory not being world readable.

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-6936

unable to read last_run_summary.yaml from user

Change By: Moses Mendoza Sprint: AP Grooming

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Moses Mendoza Team: Agent & Platform

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Geoff Nichols Sprint: AP  Grooming  Holding

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Geoff Nichols Sprint: AP  Holding  Grooming

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Geoff Nichols Sprint: AP  Grooming  Holding

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Geoff Nichols Sprint: AP  Holding  Grooming

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Geoff Nichols Sprint: Agent Accepted

Add Comment

[Maggie Dreyer (JIRA)]

Maggie Dreyer updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Maggie Dreyer Labels: puppet-agent  triaged

Add Comment

[Nicky Kernohan (JIRA)]

Nicky Kernohan updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Nicky Kernohan Method Found: Customer Feedback

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Nicky Kernohan (JIRA)]

Nicky Kernohan updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Nicky Kernohan Zendesk Ticket IDs: https://puppetlabs.zendesk.com/agent/tickets/29674

Add Comment

[Nicky Kernohan (JIRA)]

[Nicky Kernohan (JIRA)]

Nicky Kernohan updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Nicky Kernohan CS Priority: Normal CS Impact: Customer wants to use this file to monitor their agent runs CS Severity: 3 - Serious CS Business Value: 2 - $$$ CS Frequency: 1 - 1-5% of Customers

Add Comment

[Adam Bottchen (JIRA)]

Adam Bottchen updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Adam Bottchen CS Priority: Normal Needs Priority

Add Comment

[Owen Rodabaugh (JIRA)]

Owen Rodabaugh updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Owen Rodabaugh CS Priority: Needs Priority Reviewed CS Impact: Customer wants to use this file to monitor their agent runs and not run monitoring as the root user which causes file to be inaccessible without other action to move it or change permissions.

Add Comment

[Craig Gomes (JIRA)]

Craig Gomes updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Craig Gomes Team: Platform Core OS

Add Comment

[Branan Riley (JIRA)]

Branan Riley updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Branan Riley Labels: puppet-agent daemon logging permissions

Add Comment

[Nicky Kernohan (JIRA)]

Nicky Kernohan updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Nicky Kernohan Affects Version/s: PUP 5.5.z Zendesk Ticket IDs: https://puppetlabs.zendesk.com/agent/tickets/30947 https://puppetlabs.zendesk.com/agent/tickets/29674

Add Comment

[Nicky Kernohan (JIRA)]

Nicky Kernohan updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Nicky Kernohan

Zendesk Ticket IDs: https://puppetlabs.zendesk.com/agent/tickets/30947 https://puppetlabs.zendesk.com/agent/tickets/29674

Add Comment

[Nicky Kernohan (JIRA)]

Nicky Kernohan commented on PUP-6936

Re: unable to read last_run_summary.yaml from user Would it be possible to open up the whole cache dir to 755 permissions?

Add Comment

[Branan Riley (JIRA)]

Branan Riley commented on PUP-6936

Re: unable to read last_run_summary.yaml from user

Puppet frequently manages sensitive information, and its various caches, states, and logs can contain that. Most of the cache directory really /shouldn't/ be all world-readable. That's asking for someone else to come along and file a ticket that we're leaking information. That being said, last_run_summary should be safe. I don't see why that couldn't be set to 644

Add Comment

[Nicky Kernohan (JIRA)]

Nicky Kernohan commented on PUP-6936

Re: unable to read last_run_summary.yaml from user

Hi, any updates? If the change in the perms  for the summary is fairly straightforward, can we try and aim to get this into the next Z release? Thanks Nicky

Add Comment

[Marcel (JIRA)]

Marcel commented on PUP-6936

Re: unable to read last_run_summary.yaml from user

Hey, any news on this? The problem are the permissions on /opt/puppetlabs/puppet/cache, they are 750. Thanks Marcel

Add Comment

[Jorie Tappa (JIRA)]

Jorie Tappa updated an issue

Puppet / PUP-6936

unable to read last_run_summary.yaml from user

Change By: Jorie Tappa Team: Platform OS Coremunity

Add Comment

[Jorie Tappa (JIRA)]

Jorie Tappa updated an issue

Puppet / PUP-6936 unable to read last_run_summary.yaml from user

Change By: Jorie Tappa Sprint: Platform Core Grooming

Add Comment

[Nicky Kernohan (JIRA)]

Nicky Kernohan commented on PUP-6936

Re: unable to read last_run_summary.yaml from user Thanks Branan Riley, could we try and get changing the permissions on the last_run_summary into future sprint? Thank you

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-6936

unable to read last_run_summary.yaml from user

Change By: Josh Cooper Sprint: Platform Core Grooming

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-6936

Re: unable to read last_run_summary.yaml from user This issue is a result of the puppet-agent package, see https://github.com/puppetlabs/puppet-agent/commit/afe62853124860990fd83b8b7e4c50622c01c95f. This change was made because the cache directory can contain sensitive information such as the cached catalog and reports. Since this is an issue with puppet-agent packaging, I'm going to move it to the PA project. Also one workaround is to configure puppet to save the last_run_summary.yaml file to a different directory which is world readable, such as Puppet[:lastrunfile] = /opt/puppetlabs/puppet/last_run_summary.yaml.

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)