Jira (PUP-9398) Race condition exists when cron resource specified but cron is not installed and gets installed by puppet

[Joseph Marcelletti (JIRA)]

Joseph Marcelletti created an issue

Puppet / PUP-9398 Race condition exists when cron resource specified but cron is not installed and gets installed by puppet Issue Type: Bug Affects Versions: PUP 6.1.0, PUP 5.3.6 Assignee: Unassigned Created: 2019/01/04 1:52 PM Priority: Normal Reporter: Joseph Marcelletti Puppet Version: All tested (latest) Puppet Server Version: 4, 5, 6.1.0 OS Name/Version: Centos 6/7 When a system does not have a cron handler installed, but the manifest installs cron and then installs a cron entry for a user, the cron entry will NOT get added to the user but instead to root. If you run again it will install for the user. This is obviously not intended and can potentially create a security risk (as cronjobs will run as root unintended). More importantly, it breaks stuff. Here is a sample that you can replace your site.pp with and run against an agent to reproduce: Make sure cronie is NOT installed (or any cron provider) for the sample race condition. package { 'cronie': ensure => installed, } cron { 'race_condition_test': ensure => present, user => 'nobody', # This can be any user as long as they exist. minute => '*/30', command => '/bin/false', require => Package['cronie'], }   Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Joseph Marcelletti (JIRA)]

Joseph Marcelletti updated an issue

Puppet / PUP-9398 Race condition exists when cron resource specified but cron is not installed and gets installed by puppet

Change By: Joseph Marcelletti *Puppet Version: All tested (latest)* *Puppet Server Version: 4, 5, 6.1.0* *OS Name/Version: Centos 6/7*

When a system does not have a cron handler installed, but the manifest installs cron and then installs a cron entry for a user, the cron entry will NOT get added to the user but instead to root. If you run again it will install for the user. This is obviously not intended and can potentially create a security risk (as cronjobs will run as root unintended). More importantly, it breaks stuff. Here is a sample that you can replace your site.pp with and run against an agent to reproduce:

{code} # Make sure cronie is NOT installed (or any cron provider) for the sample race condition.

package { 'cronie': ensure => installed, } cron { 'race_condition_test': ensure => present, user => 'nobody', # This can be any user as long as they exist. minute => '*/30', command => '/bin/false', require => Package['cronie'], }

{code}

Add Comment

[Joseph Marcelletti (JIRA)]

[Joseph Marcelletti (JIRA)]

The first time you run this it will install cronie, and install this crontab under root. Every time you run after it will install / verify the cron entry exists for the user 'nobody'.

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-9398 Race condition exists when cron resource specified but cron is not installed and gets installed by puppet

Change By: Josh Cooper Team: Platform OS

Add Comment

[Scott McClellan (JIRA)]

Scott McClellan updated an issue

Puppet / PUP-9398 Race condition exists when cron resource specified but cron is not installed and gets installed by puppet

Change By: Scott McClellan Labels: cron linux type_and_provider

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-9398

Re: Race condition exists when cron resource specified but cron is not installed and gets installed by puppet The cron type and provider was moved to a module in puppet 6, and puppet 5 is EOL, so I'm moving this to the MODULES project.

Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)