Affects Version/s: None
Fix Version/s: PUP 6.5.0
Component/s: Types and Providers
Template:PUP Bug Template customfield_10700 263871
Sprint:Platform Core KANBAN
Method Found:Needs Assessment
Release Notes:Bug Fix
Release Notes Summary:If there is a `validate_cmd` for a File resource, the command will be run with the temporary after the temporary file has had the final permissions set (on POSIX platforms).
QA Risk Assessment:Needs Assessment
Puppet Version: 5.5.0
Puppet Server Version: NA
OS Name/Version: Linux & Mc OSX confirmed
When the validate_cmd runs it creates a temporary file however the permissions it assigns to this temporary file are not related to the permissions defined on the file type object.
The temporary file used when running the validate command should have the exact same permissions as the file resources it is trying to create. e.g.
with a file type of
the tmpe file created should have `foo:bar 0555` permissions
I have observed the following behaviour.
- tmp files are always created with permissions `0600`
- if the file being managed does not exist the tmp file is owned by root
- if the file being managed the tmp file uses has the same owner as the file being managed on disk
the following runs a loop to detect the how the tmp file is created. the tests use the folloing manifest file
output when `/tmp/test/test` doesn't exist
output when file exists with correct permissions
output when file exists with correct incorrect permissions
This causes problems when the validate command drops previlages or needs to run as a specific user. An example of this is using `/usr/lib/quagga/bgpd` to validate quagga files. The command by default drops privileges to the quagga user before reading the config file. if the file is owned by anything other then quagga then the validate command fails.
- note the bgpd command does take a user parameter so you can run the tests as the root user. however bgpd still drops privileges to the root user and when it does so it does so without `CAP_DAV_OVERRIDE`. meaning that even the root user can only validate files owned by root