Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-11081

Puppet agent lacks access to user keychains on macOS

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 6.3.0
    • Fix Version/s: PUP 6.23.0, PUP 7.8.0
    • Component/s: None
    • Environment:
    • Template:
      PUP Bug Template
    • Acceptance Criteria:
      Hide

      No manual alterations of plist is required for running security-related programs as other users.

      Show
      No manual alterations of plist is required for running security-related programs as other users.
    • Team:
      Night's Watch
    • Story Points:
      2
    • Sprint:
      NW - 2021-06-16
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Fix an issue where user keychains could not be accessed when running the Puppet Agent through the macOS daemon.
    • QA Risk Assessment:
      Needs Assessment

      Description

      We have puppet-agent running on macOS 11.1.0. Puppet is added to Full Disk Access list.

      One of things we have managed by Puppet is running a python script as some user via exec resource. The script has the following part:

      contents = subprocess.check_output(['security', 'cms', '-D', '-i', path])
      

      It works fine when run by hand (sudo -u user /my/script.py) and it also works fine when run with sudo puppet agent -t, but fails when puppet-agent is run as daemon with the following error:

      security: cert import failed: Write permissions error.
      security: problem decoding
      

      While researching the problem, I found SO post with similar problem: https://stackoverflow.com/questions/26474949/mac-security-command-needs-write-permissions-when-run-by-daemon. And there was referenced answer from another SO post: https://stackoverflow.com/questions/6827874/missing-certificates-and-keys-in-the-keychain-while-using-jenkins-hudson-as-cont/9482707#9482707.

      I took advice from the answer and added the following two lines to /Library/LaunchDaemons/com.puppetlabs.puppet.plist:

              <key>SessionCreate</key>
              <true />
      

      And then I run launchd bootout system/puppet and launchctl bootstrap system /Library/LaunchDaemons/com.puppetlabs.puppet.plist (I'm not really a Mac user, mainly Linux admin, so maybe the last part was not needed), and after that the script runs fine from puppet-agent running as a daemon.

      Please consider adding this modification to plist for puppet agent packages for Mac (I've checked agent version 7.6.1-1.osx10.15 - plist looks like plist for version 6.3.0), or suggest another way of solving that problem.

        Attachments

          Activity

            People

            Assignee:
            gabriel.nagy Gabriel Nagy
            Reporter:
            tiandrey Andrey Tikhonov
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support