Puppet custom functions and user permissions
I am busy writing a custom function to automatically add OSSEC agents
to a OSSEC server after installation. Unfortunately, it seems that
puppetmasterd is not respecting the entries in /etc/group in linux. No
matter how many other groups the puppet user has been added to in /etc/
group, when puppetmasterd runs the custom function the effective/real
user always only has the puppet group.
An example:
module Puppet::Parser::Functions
newfunction(:ossec_client_key, :type => :rvalue) do |args|
# Check if key for the fqdn already exists
fqdn = lookupvar(''fqdn'')
ip = lookupvar(''ipaddress'')
fout = File.open("/home/puppet/ossec_client_key.log",
''w'')
fout.puts "ossec_client_key executed with: " + fqdn + ":" +
ip
userid = `id`
fout.puts "Shell commands run as: " + userid
fout.puts "Ruby effective uid: " + Process.euid.to_s
key = `cat /var/ossec/etc/client.keys | egrep #{fqdn}`
fout.puts File.executable?("/var/ossec/contrib/ossec-batch-
manager.pl")
fout.close
# If it does not exist add the fqdn to ossec with ip
if($? != 0)
output = `/var/ossec/contrib/ossec-batch-manager.pl -a -n #{fqdn} -
ip #{ip}`
end
# Now extract the key for the fqdn from ossec
agent_id = `cat /var/ossec/etc/client.keys | egrep #{fqdn} | awk
''{print $1}''`
key = `/var/ossec/contrib/ossec-batch-manager.pl -e #{agent_id}`
if($? != 0)
raise Puppet::ParseError, "Could not retrieve key for:" + fqdn
end
return key
end
end
Output in ossec_client_key.log:
Shell commands run as: uid=1004(puppet) gid=1002(puppet) groups=0
(root)
Ruby effective uid: 1004
false
When I run the same command directly via ruby using:
sudo -u puppet ruby ...
I get:
Shell commands run as: uid=1004(puppet) gid=1002(puppet) groups=1001
(ossec),1002(puppet)
Ruby effective uid: 1004
true
Is this a bug or intended behaviour? If it is intended behaviour can
anyone explain why?
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Silviu Paragina
2009-Nov-27 17:47 UTC
Re: [Puppet Users] Puppet custom functions and user permissions
Try the dev group ;) You have far better chances getting an answer from there. Silviu On 25.11.2009 11:35, symfrog wrote:> Puppet custom functions and user permissions > > I am busy writing a custom function to automatically add OSSEC agents > to a OSSEC server after installation. Unfortunately, it seems that > puppetmasterd is not respecting the entries in /etc/group in linux. No > matter how many other groups the puppet user has been added to in /etc/ > group, when puppetmasterd runs the custom function the effective/real > user always only has the puppet group. > > An example: > > module Puppet::Parser::Functions > newfunction(:ossec_client_key, :type => :rvalue) do |args| > # Check if key for the fqdn already exists > fqdn = lookupvar(''fqdn'') > ip = lookupvar(''ipaddress'') > > fout = File.open("/home/puppet/ossec_client_key.log", ''w'') > fout.puts "ossec_client_key executed with: " + fqdn + ":" + ip > > userid = `id` > fout.puts "Shell commands run as: " + userid > fout.puts "Ruby effective uid: " + Process.euid.to_s > > key = `cat /var/ossec/etc/client.keys | egrep #{fqdn}` > fout.puts File.executable?("/var/ossec/contrib/ossec-batch- > manager.pl") > fout.close > > # If it does not exist add the fqdn to ossec with ip > if($? != 0) > output = `/var/ossec/contrib/ossec-batch-manager.pl -a -n #{fqdn} - > ip #{ip}` > end > > # Now extract the key for the fqdn from ossec > agent_id = `cat /var/ossec/etc/client.keys | egrep #{fqdn} | awk > ''{print $1}''` > key = `/var/ossec/contrib/ossec-batch-manager.pl -e #{agent_id}` > > if($? != 0) > raise Puppet::ParseError, "Could not retrieve key for:" + fqdn > end > > > return key > end > end > > Output in ossec_client_key.log: > > Shell commands run as: uid=1004(puppet) gid=1002(puppet) groups=0 > (root) > Ruby effective uid: 1004 > false > > > When I run the same command directly via ruby using: > > sudo -u puppet ruby ... > > I get: > > Shell commands run as: uid=1004(puppet) gid=1002(puppet) groups=1001 > (ossec),1002(puppet) > Ruby effective uid: 1004 > true > > > Is this a bug or intended behaviour? If it is intended behaviour can > anyone explain why? > > Thanks > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.