Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-1258

Puppet should be filesystem ACL aware / do not manage mode unless explicitly present

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: PUP 3.3.2
    • Fix Version/s: None
    • Component/s: Types and Providers
    • Labels:
      None
    • Template:

      Description

      Puppet should be aware of when filesystem ACLs are present on a file, and behave just slightly differently on said files.

      I've seen other feature requests asking to support filesystem ACLs and this isn't that. It'll be best to explain with an example scenario.

      Lets say you have the file '/foo/bar' with an ACL 'mask::rwx' and 'group::r-x'.
      Now lets also say you have the resource

      file {'/foo/bar': mode => '0755'}
      

      When you do a `stat` call to get the permissions of the file, they're going to show up as '0775', even though the group does not have write permission. Because of this, puppet is going to go an do a `chmod 0755` on the file, which will change the ACL mask to 'mask::r-x'. Not the intended result.

      Now you might argue that you shouldn't manage the file permissions with a file resource if the file has an ACL on it. And I'm on the fence whether this the proper answer. However there's another scenario where you might do

      file {'/foo': ensure => directory, recurse => true, mode => '0755'}
      

      and it goes and screws up the ACL of any files in that directory.

      While I think full ACL support is another matter entirely, I think that when puppet makes the `stat` call to get the permissions on the file, if it detects the file has an ACL on it, it should inspect the permissions with `getfacl`, and adjust them with `setfacl` if necessary (again, only for the primary user/group/other attributes, not full ACL support).

      The only other solution I can think of is for puppet to get full ACL support, and when puppet detects a file with an ACL on it, it creates a `facl` resource to manage the permissions instead of the file type managing the permission itself.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  phemmer Patrick Hemmer
                  QA Contact:
                  Narmadha Perumal
                • Votes:
                  11 Vote for this issue
                  Watchers:
                  15 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: