cf-agent floods logs with execv errors

52 views
Skip to first unread message

Xander Cage

unread,
Apr 16, 2024, 5:26:08 AMApr 16
to help-cfengine
Hi,

cf-agent complains about /usr/bin/getent not found. as this is an aix environment this
makes no sense. getent is a linux thing.

Apr 16 09:36:35 kug01132 user:err|error cf-agent[10617102]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:41:25 kug01132 user:err|error cf-agent[2556430]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:46:15 kug01132 user:err|error cf-agent[36569520]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:51:06 kug01132 user:err|error cf-agent[18416128]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 09:55:56 kug01132 user:err|error cf-agent[54067624]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:01:47 kug01132 user:err|error cf-agent[459462]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:06:37 kug01132 user:err|error cf-agent[20120026]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:11:27 kug01132 user:err|error cf-agent[58458376]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:16:17 kug01132 user:err|error cf-agent[58458558]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:21:07 kug01132 user:err|error cf-agent[17564104]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:25:57 kug01132 user:err|error cf-agent[43057456]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:31:48 kug01132 user:err|error cf-agent[23462412]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:36:37 kug01132 user:err|error cf-agent[4325842]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:41:28 kug01132 user:err|error cf-agent[52036014]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:46:18 kug01132 user:err|error cf-agent[18875116]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:51:09 kug01132 user:err|error cf-agent[43057622]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)
Apr 16 10:55:58 kug01132 user:err|error cf-agent[46203222]: CFEngine(agent)  Couldn't run '/usr/bin/getent'. (execv: No such file or directory)

needs to be fixed...

wbr

chris

Xander Cage

unread,
Apr 16, 2024, 6:12:48 AMApr 16
to help-cfengine
i was just informed the getent is not a linux specific thing but is part of posix . anyway, its not in aix so still a fix is necessary.

Xander Cage

unread,
Apr 16, 2024, 7:31:30 AMApr 16
to help-cfengine
a quick grep in the masterfiles showed two instances of a getent call...

root@nimvie: /var/cfengine/masterfiles # grep -r getent *
lib/paths.cf:      "path[getent]"        string => "/usr/bin/getent";
lib/vcs.cf:        string => execresult("$(paths.getent) passwd $(repo_uid)", noshell),

vcs.cf seemst to be the culprit...

Craig Comstock

unread,
Apr 16, 2024, 1:06:17 PMApr 16
to Xander Cage, help-cfengine
Thanks for the report Xander.

It does look like that bit of policy could use some refactoring to work on systems without getent.

Probably we could use the `getuserinfo()` policy function instead which includes the home_dir entry.

Let us know if you want to work on the fix.

I created a ticket:

-Craig

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/ca18dddf-38ea-4027-9aec-9840369106dbn%40googlegroups.com.


--
Craig Comstock (he/him) CFEngineer/Digger | CFEngine
Kansas, USA
Northern.tech | Securing the world's connected devices
Message has been deleted

Nick Anderson

unread,
Apr 19, 2024, 10:04:03 AMApr 19
to Xander Cage, help-cfengine
Do you plan to open a pull request to refactor it to use getuserinfo()?

On Fri, Apr 19, 2024 at 8:48 AM Xander Cage <christia...@itsv.at> wrote:
getuserinfo function works in aix...

root@aixtest01: /root/cfe_testbed # /var/cfengine/bin/cf-agent -KI -f ./getuserinfo.cf
R: I am '', root shell is '/usr/bin/ksh', and the agent was started by {"description":"","gid":0,"home_dir":"/root","shell":"/usr/bin/ksh","uid":0,"username":"root"}

Nick Anderson

unread,
Apr 19, 2024, 10:25:56 AMApr 19
to Xander Cage, help-cfengine
I think this will do it:

```
modified   lib/vcs.cf
@@ -290,14 +290,10 @@ bundle agent git(repo_path, subcmd, args)
       comment => "So that we don't mess up permissions, we will just execute
                     all commands as the current group of .git";
 
-      # We get the passwd entry from the user that owns the repo so
-      # that we can extract the home directory for later use.
-      "repo_uid_passwd_ent"
-        string => execresult("$(paths.getent) passwd $(repo_uid)", noshell),
-        comment => "We need to extract the home directory of the repo
-                    owner so that it can be used to avoid errors from
-                    unprivledged execution trying to access the root
-                    users git config.";
+      # Data container with user info
+      # {"description":"Luke Skywalker","gid":1000,"home_dir":"/home/luke","shell":"/bin/bash","uid":1000,"username":"luke"}
+      "repo_userinfo"
+        data => getuserinfo( "$(repo_uid)" );
 
   classes:
       "am_root" expression => strcmp($(this.promiser_uid), "0");
@@ -311,24 +307,14 @@ bundle agent git(repo_path, subcmd, args)
         not => strcmp($(this.promiser_uid), $(repo_uid)),
         if => isvariable( repo_uid );
 
-    am_root.need_to_drop::
-      # This regular expression could be tightened up
-      # Extract the home directory from the owner of the repository
-      # into $(repo_uid_passwd[1])
-      "extracted_repo_uid_home"
-        expression => regextract( ".*:.*:\d+:\d+:.*:(.*):.*",
-                                  $(repo_uid_passwd_ent),
-                                  "repo_uid_passwd" ),
-        if => isvariable("repo_uid_passwd_ent");
-
-  commands:
+ commands:
     am_root.need_to_drop::
       # Because cfengine does not inherit the shell environment when
       # executing commands, git will look for the root users git
       # config and error when the executing user does not have
       # access. So we need to set the home directory of the executing
       # user.
-      "$(paths.env) HOME=$(repo_uid_passwd[1]) $(oneliner)"
+      "$(paths.env) HOME=$(repo_userinfo[home_dir]) $(oneliner)"
         args => "$(subcmd) $(args)",
         classes => kept_successful_command,
         contain => setuidgid_dir( $(repo_uid), $(repo_gid), $(repo_path) );
@@ -341,8 +327,8 @@ bundle agent git(repo_path, subcmd, args)
 
   reports:
     "DEBUG|DEBUG_$(this.bundle).am_root.need_to_drop"::
-      "DEBUG $(this.bundle): with dropped privileges to uid '$(repo_uid)' and gid '$(repo_gid)', in directory '$(repo_path)', running Git command '$(paths.env) HOME=\"$(repo_uid_passwd[1])\" $(oneliner) $(subcmd) $(args)'"
-        if => isvariable("repo_uid_passwd[1]");
+      "DEBUG $(this.bundle): with dropped privileges to uid '$(repo_uid)' and gid '$(repo_gid)', in directory '$(repo_path)', running Git command '$(paths.env) HOME=\"$(repo_userinfo[home_dir])\" $(oneliner) $(subcmd) $(args)'"
+        if => isvariable("repo_userinfo[home_dir]");
```

Care to test that out and open a pull request?
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted

Nick Anderson

unread,
Apr 22, 2024, 10:31:16 AMApr 22
to help-cfengine

Xander,

I don't know why your messages are constantly held for moderation. I permanently approved them, but for whatever reason they show up as "deleted". Can you try to respond again?

Xander Cage

unread,
Apr 25, 2024, 10:11:34 AMApr 25
to help-cfengine
knock, knock...

Nick Anderson

unread,
Apr 25, 2024, 11:24:30 AMApr 25
to Xander Cage, help-cfengine
Hey it finally landed.

You received this message because you are subscribed to a topic in the Google Groups "help-cfengine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/help-cfengine/tkSCOPYIxBk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to help-cfengin...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/d966f88a-6b85-4bf3-a188-fe82392cfb8dn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages