Bug #4192
Puppet changes permissions on /var/run, causing security spam every night from OpenBSD
| Status: | Investigating | Start date: | 07/09/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | 2.7.x | |||
| Affected Puppet version: | 0.25.4 | Branch: | ||
| Keywords: | ||||
| Votes: | 0 |
Description
Puppet wants /var/run to be mod 1777 on OpenBSD, but it’s mod 755:
debug: /File[/var/run]: Changing mode debug: /File[/var/run]: 1 change(s) debug: /File[/var/run]/mode: mode changed '755' to '1777'
I’m not really certain why puppet cares about that folder’s permissions. Someone on IRC claimed this didn’t happen on Linux, however on my Linux boxes my /var/run is mod 1777.
The end result of this is that the security reports from OpenBSD come in every night, when they should only be coming in when there is a security problem.
History
Updated by James Turnbull over 1 year ago
- Status changed from Unreviewed to Investigating
- Assignee set to Matt Robinson
- Target version set to 2.7.x
Updated by Joe McDonagh over 1 year ago
This is getting more and more annoying, I looked at the code and removed managing rundir from it, because I can’t think of a good reason to manage this directory anyways. Here is the patch.
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 318ff41..7431b0d 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -24,11 +24,6 @@ module Puppet
this directory can be removed without causing harm (although it
might result in spurious service restarts)."
},
- :rundir => {
- :default => Puppet.run_mode.run_dir,
- :mode => 01777,
- :desc => "Where Puppet PID files are kept."
- },
:genconfig => [false,
"Whether to just print a configuration to stdout and exit. Only makes
sense when used interactively. Takes into account arguments specified
Updated by Todd Zullinger over 1 year ago
For reference, we talked about this a little on puppet-dev a while back, as we didn’t want the 1777 perms in the Fedora/EPEL packages. http://groups.google.com/group/puppet-dev/browse_thread/thread/d75819c3f4f7f37c/
Thinking about this a little more, would it be reasonable to make an install option to enable/disable this? That way it would be easier for packagers and other folks building from source to get the desired behaviour without each of us patching defaults.rb.
Updated by James Turnbull over 1 year ago
Perhaps something like the manageinternalpermissions option?
Updated by Todd Zullinger over 1 year ago
Perhaps. I was thinking of an install-time option instead of runtime because it seems like a once and done sort of thing. That, and if it’s needed in a config file, it makes updating rpm packages a little funny, since anyone that has modified the stock config won’t get the the updated config option automatically. We could add it manually to the puppet command line in the init script in that case, but that feels wrong.
(I’ve got no problem continuing to patch the defaults in the Fedora/EPEL packages. Just figure that if we can come up with a solution that works for more distros/systems/users, all the better.)
Updated by Matt Robinson over 1 year ago
- Assignee deleted (
Matt Robinson)