Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-11081

Puppet agent lacks access to user keychains on macOS



    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • PUP 6.3.0
    • PUP 6.23.0, PUP 7.8.0
    • None
    • Hide

      No manual alterations of plist is required for running security-related programs as other users.

      No manual alterations of plist is required for running security-related programs as other users.
    • Night's Watch
    • 2
    • NW - 2021-06-16
    • Needs Assessment
    • Bug Fix
    • Fix an issue where user keychains could not be accessed when running the Puppet Agent through the macOS daemon.
    • Needs Assessment


      We have puppet-agent running on macOS 11.1.0. Puppet is added to Full Disk Access list.

      One of things we have managed by Puppet is running a python script as some user via exec resource. The script has the following part:

      contents = subprocess.check_output(['security', 'cms', '-D', '-i', path])

      It works fine when run by hand (sudo -u user /my/script.py) and it also works fine when run with sudo puppet agent -t, but fails when puppet-agent is run as daemon with the following error:

      security: cert import failed: Write permissions error.
      security: problem decoding

      While researching the problem, I found SO post with similar problem: https://stackoverflow.com/questions/26474949/mac-security-command-needs-write-permissions-when-run-by-daemon. And there was referenced answer from another SO post: https://stackoverflow.com/questions/6827874/missing-certificates-and-keys-in-the-keychain-while-using-jenkins-hudson-as-cont/9482707#9482707.

      I took advice from the answer and added the following two lines to /Library/LaunchDaemons/com.puppetlabs.puppet.plist:

              <true />

      And then I run launchd bootout system/puppet and launchctl bootstrap system /Library/LaunchDaemons/com.puppetlabs.puppet.plist (I'm not really a Mac user, mainly Linux admin, so maybe the last part was not needed), and after that the script runs fine from puppet-agent running as a daemon.

      Please consider adding this modification to plist for puppet agent packages for Mac (I've checked agent version 7.6.1-1.osx10.15 - plist looks like plist for version 6.3.0), or suggest another way of solving that problem.




            gabriel.nagy Gabriel Nagy
            tiandrey Andrey Tikhonov
            0 Vote for this issue
            4 Start watching this issue



              Zendesk Support