Different users within same exec

12 views
Skip to first unread message

ssk1287

unread,
Jun 24, 2011, 6:06:27 PM6/24/11
to Puppet Users
I have the following exec in my manifest :

exec { some_exec:
path => [ "/bin","/usr/bin","/usr/local/bin" ],
command => "EXECUTE COMMAND 1",
onlyif => "EXECUTE COMMAND 2",
logoutput => "on_failure"
}

I want that the "COMMAND 1" should be executed by "USER 1" and
"COMMAND 2" should be executed by "USER 2". Is there a way to do it ?
I tried giving the "users" parameter, but that seems to apply to both
the commands.

Thanks in advance,

Nathan Clemons

unread,
Jun 24, 2011, 6:41:52 PM6/24/11
to puppet...@googlegroups.com
Use su -c <cmd> user?
--
Nathan Clemons
The worlds largest online language learning community




--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.


ssk1287

unread,
Jun 25, 2011, 9:54:39 AM6/25/11
to Puppet Users
That is exactly what I ended up using. Isn't there a more "puppetty"
way of doing this ?

On Jun 24, 5:41 pm, Nathan Clemons <nat...@livemocha.com> wrote:
> Use su -c <cmd> user?
> --
> Nathan Clemonshttp://www.livemocha.com

Daniel Pittman

unread,
Jun 25, 2011, 2:56:23 PM6/25/11
to puppet...@googlegroups.com
Nope. If you feel strongly that there should be, you can drop in a
feature request or submit a patch, and we would be happy to consider
it. Generally, though, it seems like a very strange requirement. I
can't imagine why you would need to do those operations as different
users, although I absolutely believe you when you say that you do.

It would be very helpful, so, if you could explain what the root cause
of that need is. :)

Daniel

--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <dan...@puppetlabs.com>
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons

ssk1287

unread,
Jun 26, 2011, 2:01:20 PM6/26/11
to Puppet Users
Consider the following scenario.

I have a PROCESS 1 triggered by COMMAND 1 which is run by USER 1 that
creates a folder FOLDER 1 which is owned by the root as it should be
accessible to all users of the system. Now, before I run COMMAND 1, I
need to run a command COMMAND 2 that clean ups this FOLDER 1 that was
created during the previous run so as to have a fresh start. Since
FOLDER 1 is owned by root, I need to run COMMAND 2 as a root user but
my COMMAND 1 is run by USER 1.

On Jun 25, 1:56 pm, Daniel Pittman <dan...@puppetlabs.com> wrote:
> Nope.  If you feel strongly that there should be, you can drop in a
> feature request or submit a patch, and we would be happy to consider
> it.  Generally, though, it seems like a very strange requirement.  I
> can't imagine why you would need to do those operations as different
> users, although I absolutely believe you when you say that you do.
>
> It would be very helpful, so, if you could explain what the root cause
> of that need is.  :)
>
> Daniel
>
> > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.

Daniel Pittman

unread,
Jun 26, 2011, 2:24:48 PM6/26/11
to puppet...@googlegroups.com
Given root can override the DACL, in the absence of SELinux, both
commands could be run as root, no?

Anyway, I am happy to assume that there is some part of the cleanup
process that requires running as the unprivileged user, and which is
not about DACL overrides or whatever; filing a new feature request
would be the next logic step here, so that we capture your needs.

Until then, you are kind of stuck with something like using 'su' to
change UID in one of the commands.

Daniel

Nathan Clemons

unread,
Jun 26, 2011, 7:56:37 PM6/26/11
to puppet...@googlegroups.com
I agree with Daniel... if USER 1 is creating FOLDER 1 which is owned by root... why is COMMAND 1 not being run by the user root?

--
Nathan Clemons
The worlds largest online language learning community



vagn scott

unread,
Jul 2, 2011, 2:59:50 PM7/2/11
to puppet...@googlegroups.com
On 06/26/2011 02:01 PM, ssk1287 wrote:
> Consider the following scenario.
>
> a folder FOLDER 1 which is owned by the root as it should be
> accessible to all users of the system.
>
That's your mistake, right there. If you want a folder
accessible to all users then make it group writable for
some group (FOLDER1_GROUP) and put all the users in that group.

To ensure that this propagates to sub-directories set the SGID bit
on the top directory (and any preexisting sub-directories).
New sub-directories will then inherit the group and the SGID bit.

The commands to do that all run as root.

--
vagn

Reply all
Reply to author
Forward
0 new messages