[PUP-5334] Puppet can't remove users from groups in OSX. Created: 2015/10/06  Updated: 2018/05/21

Status: Accepted
Project: Puppet
Component/s: None
Affects Version/s: PUP 4.2.2
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: William Hopper Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: group, macos, macos-parity, type_and_provider, user
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OSX 10.10, at least.


Issue Links:
Relates
relates to PUP-6285 Puppet fails to restore a group key v... Accepted
Template:
Team: Platform OS
Story Points: 1

 Description   

When specifying members of a group in OSX, users can be added successfully, but not removed.

lyokd3cqy68n68o:~ root# puppet apply -e "group { 'group_a': members => ['test1','test2','test3'] }"
Notice: Compiled catalog for lyokd3cqy68n68o.delivery.puppetlabs.net in environment production in 0.36 seconds
Notice: /Stage[main]/Main/Group[group_a]/ensure: created
Notice: Applied catalog in 0.32 seconds
 
lyokd3cqy68n68o:~ root# puppet resource group group_a
group { 'group_a':
  ensure  => 'present',
  gid     => '23',
  members => ['test1', 'test2', 'test3'],
}
 
lyokd3cqy68n68o:~ root# puppet apply -e "group { 'group_a': members => ['test1','test2'] }"
Notice: Compiled catalog for lyokd3cqy68n68o.delivery.puppetlabs.net in environment production in 0.35 seconds
Notice: /Stage[main]/Main/Group[group_a]/members: members changed 'test1,test2,test3' to 'test1,test2'
Notice: Applied catalog in 0.07 seconds
 
lyokd3cqy68n68o:~ root# puppet resource group group_a
group { 'group_a':
  ensure  => 'present',
  gid     => '23',
  members => ['test1', 'test2', 'test3'],
}

From GitHub, ccaviness reports that this is not a problem in OSX 10.11 on Puppet 3.8.2, so this is potentially a regression:

@whopper I can remove users from groups just fine:
 
fox:~ root# puppet resource group remove
group { 'remove':
  ensure  => 'present',
  gid     => '23',
  members => ['root', 'daemon', 'crc'],
}
fox:~ root# puppet apply
group { 'remove':
  ensure  => 'present',
  members => ['root', 'daemon'],
}
Notice: Compiled catalog for 045627f2-3d66-46b1-95bc-1bc74154e1d3 in environment gmac_unstable in 0.58 seconds
Notice: /Stage[main]/Main/Group[remove]/members: members changed 'root,daemon,crc' to 'root,daemon'
Notice: Finished catalog run in 0.30 seconds
fox:~ root# puppet resource group remove
group { 'remove':
  ensure  => 'present',
  gid     => '23',
  members => ['root', 'daemon'],
}
This is on OS X 10.11 and (patched with this PR) puppet 3.8.2.



 Comments   
Comment by William Hopper [ 2015/10/12 ]

Trying to do this with a user resource doesn't seem to work either:

p4k5w6a8xbrr9e3:~ root# puppet apply -e "user { 'test1': groups => ['wheel'], membership => inclusive, }"
Notice: Compiled catalog for p4k5w6a8xbrr9e3.delivery.puppetlabs.net in environment production in 0.35 seconds
Notice: /Stage[main]/Main/User[test1]/groups: groups changed 'group_a,wheel' to ['wheel']
Notice: Applied catalog in 6.40 seconds
 
p4k5w6a8xbrr9e3:~ root# puppet resource user test1
user { 'test1':
  ensure     => 'present',
  comment    => 'test1',
  gid        => '20',
  groups     => ['group_a', 'wheel'],
  home       => '/Users/test1',
  iterations => '39215',
  shell      => '/bin/bash',
  uid        => '28',
}

This seems to be due to the group provider not being authoritative when trying to add / remove users to groups. However, the directoryservice user provider doesn't handle removal of groups either.

Comment by Josh Cooper [ 2015/10/15 ]

We'd need the directoryservice group provider to check the auth_membership parameter like we do on windows:
https://github.com/puppetlabs/puppet/blob/master/lib/puppet/provider/group/windows_adsi.rb#L30-L34 to determine whether to specify the members should contain at least the desired values specified, or the complete set. However, the real issue is in the provider in that it doesn't know to remove the members that are in current but not should.

Comment by Clay Caviness [ 2016/06/23 ]

This is actually pretty important; if an unwanted user is added to a group that controls local administrator/root access (admin), puppet will not fix things properly.

Comment by Clay Caviness [ 2016/06/23 ]

If I change https://github.com/puppetlabs/puppet/blob/master/lib/puppet/provider/nameservice/directoryservice.rb#L343 from:

remove_unwanted_members(current_members, value) if @resource[:auth_membership] and not current_members.nil?

to

remove_unwanted_members(current_members, value) if not current_members.nil?

then the resource applies successfully, and the extra group members are removed.

But I have no idea what the :auth_membership parameter's supposed to be doing.

Comment by Clay Caviness [ 2016/06/23 ]

Ok, I had no idea group even had an auth_membership attribute. I've never set it before.

If I add auth_membership => true to a group resource, it clears unwanted members correctly.

So the bug, I guess?, is that without auth_membership there's a spurious notice of an attempted change.

Comment by Josh Cooper [ 2016/06/23 ]

The naming and description of that parameter is horrible, eg. DOCUMENT-356. But yes you're absolutely right, auth_membership => true will remove any current member that isn't specified in the manifest. If false it will only add members to the group.

I agree the bug is as you say.

Generated at Wed Jul 17 05:45:20 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.