Jira (PUP-1226) puppet breaking setuid bit on group change

7 views
Skip to first unread message

Stephen Gelman (JIRA)

unread,
Dec 12, 2016, 2:55:03 PM12/12/16
to puppe...@googlegroups.com
Stephen Gelman commented on Bug PUP-1226
 
Re: puppet breaking setuid bit on group change

We are running into the same issue under Debian. It seems to me like this is a legitimate bug that should be fixed. Leaving the permissions incorrect until the next puppet run does not seem to be an adequate solution.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

zendesk.jira (JIRA)

unread,
Feb 6, 2017, 4:55:03 PM2/6/17
to puppe...@googlegroups.com
zendesk.jira commented on Bug PUP-1226

Hello,

As detailed in this ticket: https://tickets.puppetlabs.com/browse/PUP-1226
Puppet requires multiple runs to be able to set both root ownership and any setuid bits, because setuid is clobbered when root is set as woner for security reasons. This ticket appears to have been open for a few years, and the bug is still affecting me.

A likely solution would be to simply chown first, then chmod second. (though really, I have no idea what the code to do that looks like on your end so it may not be that simple.)

Thanks,

Trevor

zendesk.jira (JIRA)

unread,
Feb 6, 2017, 4:55:04 PM2/6/17
to puppe...@googlegroups.com
zendesk.jira commented on Bug PUP-1226

No problem!
Just don't want to see you version-stranded.

This comment was made by Tom Kishel on Wed Jan 25 15:15:12 PST 2017 from Zendesk

zendesk.jira (JIRA)

unread,
Feb 6, 2017, 4:55:04 PM2/6/17
to puppe...@googlegroups.com
zendesk.jira commented on Bug PUP-1226

Trevor,

I've linked this ticket to the PUP ticket to make the case for addressing this. There's a process for prioritizing bugs, and I'll see what else I can do within that process.

Independently: I noticed you referenced 3.8.7, and that's EOL: https://puppet.com/misc/puppet-enterprise-lifecycle

Do you have plans to upgrade?

Tom

This comment was made by Tom Kishel on Tue Jan 24 17:29:28 PST 2017 from Zendesk

zendesk.jira (JIRA)

unread,
Feb 6, 2017, 4:55:04 PM2/6/17
to puppe...@googlegroups.com
zendesk.jira commented on Bug PUP-1226

Hello,

Thanks for your assistance!

We do have plans to upgrade, I just put in the first agent version I had at hand which was on an older system.

Thanks,

Trevor

________________________________

Maggie Dreyer (JIRA)

unread,
May 15, 2017, 2:45:05 PM5/15/17
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
 
Puppet / Bug PUP-1226
Change By: Maggie Dreyer
Team: Agent

Maggie Dreyer (JIRA)

unread,
May 15, 2017, 2:45:06 PM5/15/17
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
Change By: Maggie Dreyer
Labels: file redmine  triaged

Moses Mendoza (JIRA)

unread,
May 18, 2017, 1:55:26 PM5/18/17
to puppe...@googlegroups.com
Moses Mendoza updated an issue
Change By: Moses Mendoza
Labels: file redmine  triaged

Josh Cooper (Jira)

unread,
Jan 26, 2021, 5:26:02 PM1/26/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
We have a puppet module that's trying to manage owner, group
and setuid bit on /bin/nice:

 {code:puppet}
         file { "/bin/nice":
                owner   => root,
                group   => root,
                mode    => " 6555 " ,
        }
 {code}

If the mode is correct, but group is wrong, puppet will fix the
group and lose the setuid bit:

 {noformat}
         # chgrp bin /bin/nice
        # chmod 6555 /bin/nice
        # ls -l /bin/nice
        -r-sr-sr-x 1 root bin 23424 Jan 26 17:12 /bin/nice
        # pkill -USR1 puppet

        Jun 29 22:26:29 xsp4 puppetd[21024]: Caught USR1; calling reload
        Jun 29 22:26:32 xsp4 puppetd[21024]: (/Stage[main]/SomeSystem::Nice/File[/bin/nice]/group) group changed 'bin' to 'root'
        Jun 29 22:26:33 xsp4 puppetd[21024]: Finished catalog run in 1.86 seconds

        # ls -l /bin/nice
        -r-xr-xr-x 1 root root 23424 Jan 26 17:12 /bin/nice
 {noformat}

And puppet then needs a second run to fix the setuid bit:

 {noformat}
         # pkill -USR1 puppet

        Jun 29 22:26:44 xsp4 puppetd[21024]: (/Stage[main]/SomeSystem::Nice/File[/bin/nice]/mode) mode changed '555' to '6555'

        # ls -l /bin/nice
        -r-sr-sr-x 1 root root 23424 Jan 26 17:12 /bin/nice
 {noformat}

This has only been tested on v0.25.4 on RHEL5.
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Josh Cooper (Jira)

unread,
Jan 26, 2021, 5:31:03 PM1/26/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-1226
 
Re: puppet breaking setuid bit on group change

I can reproduce this issue on redhat as well. It takes two runs to converge:

[root ~]# puppet --version
 
6.19.1
 
[root ~]# facter os
 
{
 
  architecture => "x86_64",
 
  family => "RedHat",
 
  hardware => "x86_64",
 
  name => "RedHat",
 
  release => {
 
    full => "7.2",
 
    major => "7",
 
    minor => "2"
 
  },
 
  selinux => {
 
    enabled => false
 
  }
 
}
 
[root ~]# cat /etc/puppetlabs/code/environments/production/manifests/site.pp
 
file { "/tmp/nice":
 
  owner   => root,
 
  group   => root,
 
  mode    => '6555',
 
}
 
[root ~]# cp /bin/nice /tmp/nice
 
[root ~]# chgrp bin /tmp/nice
 
[root ~]# chmod 6555 /tmp/nice
 
[root ~]# ls -la /tmp/nice
 
-r-sr-sr-x 1 root bin 33064 Jan 26 22:29 /tmp/nice
 
[root ~]# puppet agent -t
 
Info: Using configured environment 'production'
 
Info: Retrieving pluginfacts
 
Info: Retrieving plugin
 
Info: Retrieving locales
 
Info: Caching catalog for xxx.delivery.puppetlabs.net
 
Info: Applying configuration version '1611699814'
 
Notice: /Stage[main]/Main/File[/tmp/nice]/group: group changed 'bin' to 'root' (corrective)
 
Notice: Applied catalog in 0.01 seconds
 
[root ~]# ls -la /tmp/nice
 
-r-xr-xr-x 1 root root 33064 Jan 26 22:20 /tmp/nice
 
[root ~]# puppet agent -t
 
Info: Using configured environment 'production'
 
Info: Retrieving pluginfacts
 
Info: Retrieving plugin
 
Info: Retrieving locales
 
Info: Caching catalog for xxx.delivery.puppetlabs.net
 
Info: Applying configuration version '1611699830'
 
Notice: /Stage[main]/Main/File[/tmp/nice]/mode: mode changed '0555' to '6555' (corrective)
 
Notice: Applied catalog in 0.01 seconds

Josh Cooper (Jira)

unread,
Jan 26, 2021, 6:32:03 PM1/26/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-1226

The problem is that puppet retrieves the mode 06555 prior to changing the group and puppet assumes the group and mode can be set independently (and in any order). But as Daniel Dreier mentioned above, the chgrp results in the mode changing without puppet realizing it.

The issue of interdependent file properties has come up before. Luke introduced the property_fix method in https://github.com/puppetlabs/puppet/commit/d145aae53ddf43de1a5140ce9226e1b2f383376f to ensure owner, group, mode, etc are correct. However it is only called if the file is created or written to. So one possible fix is to call property_fix after changing the group in the posix provider: https://github.com/puppetlabs/puppet/blob/5d6412cf5de9ed93d80439c539c1416ecf3216b2/lib/puppet/provider/file/posix.rb#L120

Josh Cooper (Jira)

unread,
Jan 26, 2021, 6:33:03 PM1/26/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity Night's Watch
Reply all
Reply to author
Forward
0 new messages