Bug #3107
Execute() in util.rb does not execute setuid properly on AIX
| Status: | Closed | Start: | 01/25/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | executables | |||
| Target version: | 0.25.6 | |||
| Affected version: | 0.25.3 | Branch: | git@github.com:MarkusQ/puppet.git ticket/0.25.x/3107 | |
| Keywords: | cron aix execute | |||
| Votes: | 3 |
Description
In lib/puppet/util.rb:
297 if arguments[:gid]
298 Process.egid = arguments[:gid]
299 Process.gid = arguments[:gid] unless @@os == "Darwin"
300 end
301 if arguments[:uid]
302 Process.euid = arguments[:uid]
303 Process.uid = arguments[:uid] unless @@os == "Darwin"
This does not work on AIX and silently fails due to line 303 returning EPERM (Not Owner). If I swap lines 302 and 303 it works correctly. This currently breaks the cron type on AIX for non-root users, but has an effect when anything on AIX requires execution of something as a different user.
Also,
Process::GID.change_privilege(arguments[:gid]) if arguments[:gid] Process::UID.change_privilege(arguments[:uid]) if arguments[:uid]
does the setuid correctly. Perhaps execute should do change_privilege instead of [e]gid=/[e]uid=?
History
Updated by Markus Roberts 7 months ago
- Status changed from Unreviewed to Investigating
- Target version set to 0.25.5
It appears this would have produced the same results under 0.24.8; any idea why it hasn’t be noticed before?
Updated by Andrew Forgue 7 months ago
It appears this is only an issue on AIX where execute() was called with :uid of something other than root. I think the case where this is used is fairly small and most common to the crontab type, which was fixed only in 0.25.2 on AIX.
Updated by Markus Roberts 7 months ago
- Status changed from Investigating to Accepted
- Assignee set to Jesse Wolfe
That seems reasonable.
Updated by James Turnbull 5 months ago
- Target version changed from 0.25.5 to 0.25.6
Updated by Markus Roberts 4 months ago
- Status changed from Accepted to Ready for Testing
- Assignee deleted (
Jesse Wolfe) - Branch set to git@github.com:MarkusQ/puppet.git ticket/0.25.x/3107
Looking at the docs and the source code in ruby’s process.c library I think that this should work under AIX and also under other supported OSes, but I’ve only tried it under OS X and Linux. Can anyone else give it a whirl?
Updated by Markus Roberts 4 months ago
- Status changed from Ready for Testing to Available In Testing Branch
Updated by James Turnbull 4 months ago
- Status changed from Available In Testing Branch to Closed
Pushed in commit:“3d7168bef36b36b4d399eeefd7dccaec75fd8bc9” in branch 0.25.x
Updated by Markus Roberts 4 months ago
Applied to master in commit:“e82f5de7e66a54712421d96288cc6a2614f53dd7”