[PUP-11081] Puppet agent lacks access to user keychains on macOS - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: PUP 6.3.0
Fix Version/s: PUP 6.23.0, PUP 7.8.0
Component/s: None
Labels:
- community
- docs-reviewed

Environment:

Hide

# facter os

  architecture => "x86_64",

  family => "Darwin",

  hardware => "x86_64",

  macosx => {

    build => "20C69",

    product => "macOS",

    version => {

      full => "11.1.0",

      major => "11.1",

      minor => "0"

},

  name => "Darwin",

  release => {

    full => "20.2.0",

    major => "20",

    minor => "2"

# puppet agent --version

6.3.0

Show

# facter os { architecture => "x86_64" , family => "Darwin" , hardware => "x86_64" , macosx => { build => "20C69" , product => "macOS" , version => { full => "11.1.0" , major => "11.1" , minor => "0" } }, name => "Darwin" , release => { full => "20.2.0" , major => "20" , minor => "2" } } # puppet agent --version 6.3 . 0

Acceptance Criteria:

Hide

No manual alterations of plist is required for running security-related programs as other users.

Show
No manual alterations of plist is required for running security-related programs as other users.
Team:
Night's Watch
Story Points:
2
Sprint:
NW - 2021-06-16
Method Found:
Needs Assessment

Release Notes:
Bug Fix
Release Notes Summary:
Fix an issue where user keychains could not be accessed when running the Puppet Agent through the macOS daemon.

QA Risk Assessment:
Needs Assessment

Description

We have puppet-agent running on macOS 11.1.0. Puppet is added to Full Disk Access list.

One of things we have managed by Puppet is running a python script as some user via exec resource. The script has the following part:

contents = subprocess.check_output(['security', 'cms', '-D', '-i', path])

It works fine when run by hand (sudo -u user /my/script.py) and it also works fine when run with sudo puppet agent -t, but fails when puppet-agent is run as daemon with the following error:

security: cert import failed: Write permissions error.

security: problem decoding

While researching the problem, I found SO post with similar problem: https://stackoverflow.com/questions/26474949/mac-security-command-needs-write-permissions-when-run-by-daemon. And there was referenced answer from another SO post: https://stackoverflow.com/questions/6827874/missing-certificates-and-keys-in-the-keychain-while-using-jenkins-hudson-as-cont/9482707#9482707.

I took advice from the answer and added the following two lines to /Library/LaunchDaemons/com.puppetlabs.puppet.plist:

        <key>SessionCreate</key>

        <true />

And then I run launchd bootout system/puppet and launchctl bootstrap system /Library/LaunchDaemons/com.puppetlabs.puppet.plist (I'm not really a Mac user, mainly Linux admin, so maybe the last part was not needed), and after that the script runs fine from puppet-agent running as a daemon.

Please consider adding this modification to plist for puppet agent packages for Mac (I've checked agent version 7.6.1-1.osx10.15 - plist looks like plist for version 6.3.0), or suggest another way of solving that problem.

Attachments

Activity

People

Assignee:: Gabriel Nagy

Reporter:: Andrey Tikhonov

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2021/05/25 1:48 PM

Updated:: 2021/06/21 12:59 PM

Resolved:: 2021/06/10 12:31 AM