Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9337

Puppet sets permissions for Puppet files every run

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Acceptance Criteria:
      Hide

      Patched back to 5.5.
      Manual testing (recommend Functional Review).
      Work involved: Code (change), maaaaaybe docs

      Show
      Patched back to 5.5. Manual testing (recommend Functional Review). Work involved: Code (change), maaaaaybe docs
    • Team:
      Skeletor
    • Story Points:
      1
    • Sprint:
      Platform OS Kanban, Skeletor Kanban, Skeletor Kanban
    • Method Found:
      Customer Feedback
    • CS Priority:
      Major
    • Zendesk Ticket IDs:
      32929,32969,33091,33124,33126,33181,33410,33732,33886,33925,34080,34309,34367,34392,34426,34455,34555,34784,35321,35693
    • Zendesk Ticket Count:
      20
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Puppet will now treat owner and group on the file resource as in-sync in the following scenario:

      * owner and group are not set in the resource
      * owner and/or group are set to the SYSTEM user on the running node.
      * the SYSTEM user ACE is set to Full Control

      Puppet will allow users to specifically configure the SYSTEM user to less than FullControl by setting the owner and/or group parameters to 'SYSTEM' in the file resource. (i.e. if owner and/or group are set to 'SYSTEM' puppet will _not_ munge permissions to FullControl). In this case Puppet will emit a warning since setting SYSTEM to less than FullControl may have unintended consequences.
      Show
      Puppet will now treat owner and group on the file resource as in-sync in the following scenario: * owner and group are not set in the resource * owner and/or group are set to the SYSTEM user on the running node. * the SYSTEM user ACE is set to Full Control Puppet will allow users to specifically configure the SYSTEM user to less than FullControl by setting the owner and/or group parameters to 'SYSTEM' in the file resource. (i.e. if owner and/or group are set to 'SYSTEM' puppet will _not_ munge permissions to FullControl). In this case Puppet will emit a warning since setting SYSTEM to less than FullControl may have unintended consequences.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 2018.1.5, 2019.0.1
      OS Name/Version: Windows 2012 R2, 2016, 2019

      File permissions for Puppet files are being set to the same value every run:

      Resource	Event	Changed from	Changed to
       
      File[C:\ProgramData/PuppetLabs/puppet/cache/state/package_inventory_enabled] 
      File: /opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/profile/agent.pp Line: 89 
      Corrective change	
      0674 
      664
       
      File[C:\ProgramData/PuppetLabs/pxp-agent/etc/pxp-agent.conf] 
      File: /opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/pxp_agent.pp Line: 105 
      Corrective change	
      0670 
      660
      

      This seems to target package_inventory_enabled most frequently. Every run the permission is set from 0674 to 0664, which would seem to correspond with documentation requirements (https://puppet.com/docs/puppet/6.0/resources_file_windows.html#how-nix-modes-map-to-windows-permissions):

      The group can’t have higher permissions than the owner. Other users can’t have higher permissions than the owner or group. (That is, 0640 and 0755 are supported, but 0460 is not.)

      However the next agent run shows the value has reverted and needs to be set again. It appears that removing the file often - but not always - resolves the issue.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              paul.schaffer Paul Schaffer
              Votes:
              3 Vote for this issue
              Watchers:
              44 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support