Bug #3922
Backing up files by md5 and saving them "as user"
| Status: | Duplicate | Start date: | 06/01/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | ssh | |||
| Target version: | - | |||
| Affected Puppet version: | 0.25.5 | Branch: | ||
| Keywords: | backup clientbucket catalog Ssh_authorized_key | |||
| Votes: | 11 |
Description
I manage user, directories, ssh_authorized_key, … on redhat 4 and 5 boxes with a master and a client with 0.25.5 version. My puppet client runs as root and my maser with the user puppet.
Everything works fine for some of my users, but I got an error with clientbucket directory :
info: Caching catalog for puppet-client info: Applying configuration version '1275367180' notice: //users/My::User[my.user]/Ssh_authorized_key[my.user]/ensure: created err: Could not apply complete catalog: Could not back up /home/my.user/.ssh/authorized_keys: Permission denied - /var/lib/puppet/clientbucket/f notice: Finished catalog run in 3.52 seconds
If I create manualy this directory I got the same error for /var/lib/puppet/clientbucket/f/6 next for /var/lib/puppet/clientbucket/f/6/9… And at the end I have :
[root@monserveur: i386 ]$ puppetd --server my-puppet -t -o info: Caching catalog for puppet-client info: Applying configuration version '1275367180' notice: //users/My::User[my.user]/Ssh_authorized_key[my.user]/ensure: created err: Could not apply complete catalog: Could not back up /home/my.user/.ssh/authorized_keys: Permission denied - /var/lib/puppet/clientbucket/f/6/9/4/9/5/1/7/f6949517cbf4fddfa665d41361f8bce4 notice: Finished catalog run in 3.69 seconds
manifest citation :
ssh_authorized_key { $name:
ensure => $ensure,
type => "dsa",
key => $key,
user => $name,
require => File["/home/$name/.ssh"],
}
With 0.25.3 I didn’t have this issue.
Related issues
History
Updated by James Turnbull almost 2 years ago
- Category set to ssh
- Status changed from Unreviewed to Investigating
- Assignee set to Matt Robinson
Updated by Jason Koppe almost 2 years ago
I’m having a similar issue after an upgrade from puppet 0.25.0 (src/compiled) to puppet-0.25.5-1.el5 (rpm). It’s only happening to a user that has two keys. I changed the target of the second key to target a different file (authorized_keys2) and everything runs fine.
Updated by Al Hoang almost 2 years ago
I am also getting bitten by this behavior on a 0.25.5 installation. Running puppet daemon with lots of debugging (puppetd —debug —verbose —trace —no-daemon) I get the following stack trace:
debug: Flushing ssh_authorized_key provider target /home/foo/.ssh/authorized_keys /usr/lib/ruby/1.8/fileutils.rb:243:in `mkdir' /usr/lib/ruby/1.8/fileutils.rb:243:in `fu_mkdir' /usr/lib/ruby/1.8/fileutils.rb:217:in `mkdir_p' /usr/lib/ruby/1.8/fileutils.rb:215:in `reverse_each' /usr/lib/ruby/1.8/fileutils.rb:215:in `mkdir_p' /usr/lib/ruby/1.8/fileutils.rb:201:in `each' /usr/lib/ruby/1.8/fileutils.rb:201:in `mkdir_p' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/filebucket.rb:100:in `addfile' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:145:in `withumask' /usr/lib/ruby/site_ruby/1.8/puppet/network/handler/filebucket.rb:93:in `addfile' /usr/lib/ruby/site_ruby/1.8/puppet/network/client/dipper.rb:29:in `backup' /usr/lib/ruby/site_ruby/1.8/puppet/util/filetype.rb:92:in `backup' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:91:in `backup_target' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:97:in `flush_target' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:74:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:72:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:72:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/parsedfile.rb:356:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:72:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/util/suidmanager.rb:59:in `asuser' /usr/lib/ruby/site_ruby/1.8/puppet/provider/ssh_authorized_key/parsed.rb:72:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/type.rb:752:in `flush' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:94:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:247:in `eval_children_and_apply_resource' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:246:in `eval_children_and_apply_resource' /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:199:in `eval_resource'
After a bit of tracing this down it seems that it is related to lib/puppet/provider/ssh_authorized_key/parsed.rb in the flush() method interacting with the filebucket during backup. I committed what I consider at temporary fix on a private branch here of 0.25.x here:
http://github.com/hoanga/puppet/tree/bug/0.25.x/3922-ssh_authorized_key
Updated by James Turnbull almost 2 years ago
- Status changed from Investigating to Accepted
- Target version set to 49
Updated by Mark Drayton almost 2 years ago
Is there a workaround for this? I tried applying hoanga’s patch but get:
notice: //users/Account[support]/Ssh_authorized_key[support]/ensure: created
err: Could not apply complete catalog: Could not back up /home/support/.ssh/authorized_keys: Operation not permitted
Can I disable backups entirely? I tried:
File { backup => false }
but this doesn’t seem to affect Ssh_authorized_key :(
Updated by Sylvain Avril almost 2 years ago
I have the same problem with puppet 2.6.1. Playing with permissions, it seem that it try to backup the authorized_keys file in /var/lib/puppet/clientbucket/… as the user specified in ssh_authorized_keys but the permissions on this directory (at least on my system) is 750 with owner root (rwxr-x—–).
If I do a chmod -R a+rwx /var/lib/puppet/clientbucket /var/lib/puppet/clientbucket/5, it run nicely. But at the end of this run, the permissions on theses directories goes back to their old values.
If i try to add a ssh key for user ‘socadm’:
ls -al /var/lib/puppet/clientbucket/5/c
total 16
drwxrwx--- 4 socadm root 4096 aoû 10 15:41 .
drwxrwx--- 6 root root 4096 aoû 9 10:10 ..
drwxrwx--- 3 root root 4096 aoû 10 15:41 1
drwxrwx--- 3 socadm root 4096 jui 30 15:30 e
ls -al /var/lib/puppet/clientbucket/5/c/e
total 12
drwxrwx--- 3 socadm root 4096 jui 30 15:30 .
drwxrwx--- 4 socadm root 4096 aoû 10 15:41 ..
drwxrwx--- 3 socadm root 4096 jui 30 15:30 b
It seem that the only files/directories not owned by root in clientbucket are these used by ssh_authorized_keys (checked it on a system).
Updated by James Turnbull almost 2 years ago
- Affected Puppet version changed from 0.25.5 to 2.6.1rc2
Updated by Sylvain Avril almost 2 years ago
This is perhaps related to commit ae520057280c2454bc44c64ac1e6686bf2eb086d.
“Write ssh_authorized_keys as user
This is a targeted fix to the issue of permissions when writing ssh authorized
key files by 1) requiring that an existing users be specified on the resource
and 2) doing the write as that user. It's based on Michael DeHaan's initial
implementation of Luke's idea, but with a number of simplifications (mostly by
testing necessary conditions as early as possible so the code isn't cluttered
up with a lot of checks).
The tests in this version are modified slightly to remove some additional
implementation couplings that were added in master."
Updated by Markus Roberts almost 2 years ago
- Target version changed from 49 to 52
- Affected Puppet version changed from 2.6.1rc2 to 0.25.5
Changing the affected version to 0.25.5 because that’s where the bug appeared, and setting the target to queued since by policy the fix should arguably go on 2.7.0.
Updated by Matt Robinson over 1 year ago
- Assignee deleted (
Matt Robinson)
Removing my name from this since I never actually worked on it. Looks like something that was assigned to me without knowing it one of my first weeks at Puppet.
Updated by Rick Garcia over 1 year ago
I am having the same issue using puppet-2.6.1-0.6.el5:
err: /Stage[main]/Auth::Users/Ssh_authorized_key[rick]: Could not evaluate: Could not back up /home/rick/.ssh/authorized_keys: Permission denied – /var/lib/puppet/clientbucket/2
Cheers,
-Rick
Updated by Rick Garcia over 1 year ago
FWIW, I don’t think that backing up a copy of the old authrized_keys file is important… as long as maybe a diff can be shown in the output when the file is replaced… which is the same behavior that is shown when a custom fact is overwritten by pluginsync.
i think the fix is to remove the clientbucket backup of authorized_keys. i think that keeping an old public key hanging around is a security risk anyway, regardless if the file owned by the original owner of the original authorized_key file.
thoughts?
-Rick
Updated by Simon Effenberg over 1 year ago
I have the same problem with 2.6.1 and the problem here is:
there is a /etc/skel/.ssh/authorized_keys so when i create a new user: user { paul: } and he has a ssh_authroized_key { “paul@local”: } then a filebucket saves the authorized_keys, which was copied during useradd from skel, as user paul..
now creating a second user: user { pete: } with an ssh_authorized_key {} then a filebucket, using the same md5 hash (its the same empty file) tries to save the old authorized_keys as user pete but can’t save it because there is an existing one owned by paul.. if i change the content of /home/pete/.ssh/authorized_keys with something stupid like “# xxxxxxxxxxxxxxxxx” then the next puppet run works and backup the file as user pete..
so the main question for me is, is the design to backup files only on there md5 hash really a good idea? I don’t know much about the usage of filebucket but when more then one file can be saved within a md5 hash based directory (like for the one with empty files) then only one user should be used to create/update these files.. and if not more than one file can be saved within one md5 hash then especially emtpy files will be a pain when creating all the files as the origin owned user..
Updated by Markus Roberts over 1 year ago
- Subject changed from Ssh_authorized_key "Could not apply complete catalog: Could not back up" to Backing up files by md5 and saving them "as user"
- Status changed from Accepted to Duplicate
This was fixed in 2.6.2 as #4267.
Updated by James Turnbull over 1 year ago
- Target version deleted (
52)