Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-2315

Should be able to set sgid at the same time as specifying ownership for a non root user and group

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.7.3
    • Component/s: Promise type: files
    • Labels:
      None

      Description

      I am unable to setgid when I am also setting ownership to a non root user and group.

      This worked on 3.6.2:

      <pre>
      bundle agent main
      {
      vars:
      "users_and_groups" slist =>

      { "oracle", "dba", "dbaoper" }

      ;

      users:
      "$(users_and_groups)"
      policy => "present",
      comment => "Easy way to get users with groups named after them";

      vars:
      "ora_dirs" slist =>

      { "dbs1", "dbs2", "dbs3", "dbs4", "dbs5", "dbs6", "rman", "shared" }

      ;

      files:
      "/oracle/."
      perms => mog("2755", "oracle", "dba"),
      create => "true";

      "/oracle/exports/."
      perms => mog("2771", "oracle", "dbaoper"),
      create => "true";

      "/oracle/$(ora_dirs)/."
      create => "true",
      perms => mog("2750", "oracle", "dba");

      "/oracle/archlogs/."
      create => "true",
      perms => mog("2770", "oracle", "dba");

      "/oracle/dbatemp/."
      create => "true",
      perms => mog("2775", "oracle", "dba");

      "/oracle/dba/."
      create => "true",
      perms => mog("2751", "oracle", "dba");
      }
      </pre>

      <pre>
      [root@hub masterfiles]# cf-agent -V
      CFEngine Core 3.6.2
      CFEngine Enterprise 3.6.2

      [root@hub masterfiles]# cf-agent -KIf ./promises.cf -b main
      2016-03-16T13:37:28+0000 info: Using command line specified bundlesequence
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/.'[0]: Created directory '/oracle/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/.'[0]: Owner of '/oracle' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/.'[0]: Group of '/oracle' was 0, setting to 502
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/.'[0]: Object '/oracle' had permission 0755, changed it to 2755
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/exports/.'[0]: Created directory '/oracle/exports/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/exports/.'[0]: Owner of '/oracle/exports' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/exports/.'[0]: Group of '/oracle/exports' was 502, setting to 503
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/exports/.'[0]: Object '/oracle/exports' had permission 2755, changed it to 2771
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs1/.'[0]: Created directory '/oracle/dbs1/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs1/.'[0]: Owner of '/oracle/dbs1' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs1/.'[0]: Object '/oracle/dbs1' had permission 2755, changed it to 2750
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs2/.'[1]: Created directory '/oracle/dbs2/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs2/.'[1]: Owner of '/oracle/dbs2' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs2/.'[1]: Object '/oracle/dbs2' had permission 2755, changed it to 2750
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs3/.'[2]: Created directory '/oracle/dbs3/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs3/.'[2]: Owner of '/oracle/dbs3' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs3/.'[2]: Object '/oracle/dbs3' had permission 2755, changed it to 2750
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs4/.'[3]: Created directory '/oracle/dbs4/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs4/.'[3]: Owner of '/oracle/dbs4' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs4/.'[3]: Object '/oracle/dbs4' had permission 2755, changed it to 2750
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs5/.'[4]: Created directory '/oracle/dbs5/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs5/.'[4]: Owner of '/oracle/dbs5' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs5/.'[4]: Object '/oracle/dbs5' had permission 2755, changed it to 2750
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs6/.'[5]: Created directory '/oracle/dbs6/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs6/.'[5]: Owner of '/oracle/dbs6' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs6/.'[5]: Object '/oracle/dbs6' had permission 2755, changed it to 2750
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/rman/.'[6]: Created directory '/oracle/rman/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/rman/.'[6]: Owner of '/oracle/rman' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/rman/.'[6]: Object '/oracle/rman' had permission 2755, changed it to 2750
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/shared/.'[7]: Created directory '/oracle/shared/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/shared/.'[7]: Owner of '/oracle/shared' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/shared/.'[7]: Object '/oracle/shared' had permission 2755, changed it to 2750
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/archlogs/.'[0]: Created directory '/oracle/archlogs/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/archlogs/.'[0]: Owner of '/oracle/archlogs' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/archlogs/.'[0]: Object '/oracle/archlogs' had permission 2755, changed it to 2770
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbatemp/.'[0]: Created directory '/oracle/dbatemp/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbatemp/.'[0]: Owner of '/oracle/dbatemp' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbatemp/.'[0]: Object '/oracle/dbatemp' had permission 2755, changed it to 2775
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dba/.'[0]: Created directory '/oracle/dba/.'
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dba/.'[0]: Owner of '/oracle/dba' was 0, setting to 501
      2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dba/.'[0]: Object '/oracle/dba' had permission 2755, changed it to 2751
      [root@hub masterfiles]# stat -c "%a %n" /oracle
      2755 /oracle

      [root@hub masterfiles]# stat -c "%a %n" /oracle/*
      2770 /oracle/archlogs
      2751 /oracle/dba
      2775 /oracle/dbatemp
      2750 /oracle/dbs1
      2750 /oracle/dbs2
      2750 /oracle/dbs3
      2750 /oracle/dbs4
      2750 /oracle/dbs5
      2750 /oracle/dbs6
      2771 /oracle/exports
      2750 /oracle/rman
      2750 /oracle/shared
      </pre>

      But on 3.7.2 it fails to setgid:

      <pre>
      [root@hub masterfiles]# cf-agent -V
      CFEngine Core 3.7.2
      CFEngine Enterprise 3.7.2

      [root@hub masterfiles]# cf-agent -KIf ./promises.cf -b main
      info: Using command line specified bundlesequence
      info: User promise repaired
      info: User promise repaired
      info: User promise repaired
      info: Created directory '/oracle/.'
      info: Owner of '/oracle' was 0, setting to 501
      info: Group of '/oracle' was 0, setting to 502
      info: Object '/oracle' had permission 0755, changed it to 2755
      info: Created directory '/oracle/exports/.'
      info: Owner of '/oracle/exports' was 0, setting to 501
      info: Group of '/oracle/exports' was 0, setting to 503
      info: Object '/oracle/exports' had permission 0755, changed it to 2771
      info: Created directory '/oracle/dbs1/.'
      info: Owner of '/oracle/dbs1' was 0, setting to 501
      info: Group of '/oracle/dbs1' was 0, setting to 502
      info: Object '/oracle/dbs1' had permission 0755, changed it to 2750
      info: Created directory '/oracle/dbs2/.'
      info: Owner of '/oracle/dbs2' was 0, setting to 501
      info: Group of '/oracle/dbs2' was 0, setting to 502
      info: Object '/oracle/dbs2' had permission 0755, changed it to 2750
      info: Created directory '/oracle/dbs3/.'
      info: Owner of '/oracle/dbs3' was 0, setting to 501
      info: Group of '/oracle/dbs3' was 0, setting to 502
      info: Object '/oracle/dbs3' had permission 0755, changed it to 2750
      info: Created directory '/oracle/dbs4/.'
      info: Owner of '/oracle/dbs4' was 0, setting to 501
      info: Group of '/oracle/dbs4' was 0, setting to 502
      info: Object '/oracle/dbs4' had permission 0755, changed it to 2750
      info: Created directory '/oracle/dbs5/.'
      info: Owner of '/oracle/dbs5' was 0, setting to 501
      info: Group of '/oracle/dbs5' was 0, setting to 502
      info: Object '/oracle/dbs5' had permission 0755, changed it to 2750
      info: Created directory '/oracle/dbs6/.'
      info: Owner of '/oracle/dbs6' was 0, setting to 501
      info: Group of '/oracle/dbs6' was 0, setting to 502
      info: Object '/oracle/dbs6' had permission 0755, changed it to 2750
      info: Created directory '/oracle/rman/.'
      info: Owner of '/oracle/rman' was 0, setting to 501
      info: Group of '/oracle/rman' was 0, setting to 502
      info: Object '/oracle/rman' had permission 0755, changed it to 2750
      info: Created directory '/oracle/shared/.'
      info: Owner of '/oracle/shared' was 0, setting to 501
      info: Group of '/oracle/shared' was 0, setting to 502
      info: Object '/oracle/shared' had permission 0755, changed it to 2750
      info: Created directory '/oracle/archlogs/.'
      info: Owner of '/oracle/archlogs' was 0, setting to 501
      info: Group of '/oracle/archlogs' was 0, setting to 502
      info: Object '/oracle/archlogs' had permission 0755, changed it to 2770
      info: Created directory '/oracle/dbatemp/.'
      info: Owner of '/oracle/dbatemp' was 0, setting to 501
      info: Group of '/oracle/dbatemp' was 0, setting to 502
      info: Object '/oracle/dbatemp' had permission 0755, changed it to 2775
      info: Created directory '/oracle/dba/.'
      info: Owner of '/oracle/dba' was 0, setting to 501
      info: Group of '/oracle/dba' was 0, setting to 502
      info: Object '/oracle/dba' had permission 0755, changed it to 2751
      [root@hub masterfiles]#

      [root@hub masterfiles]# stat -c "%a %n" /oracle
      755 /oracle
      [root@hub masterfiles]# stat -c "%a %n" /oracle/*
      770 /oracle/archlogs
      751 /oracle/dba
      775 /oracle/dbatemp
      750 /oracle/dbs1
      750 /oracle/dbs2
      750 /oracle/dbs3
      750 /oracle/dbs4
      750 /oracle/dbs5
      750 /oracle/dbs6
      771 /oracle/exports
      750 /oracle/rman
      750 /oracle/shared
      </pre>

        Attachments

          Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. CFE-2222 Applying permissions recursively on a directory can fail with 'Permission denied' in 3.7.2

          • High - Serious problem that could block progress.
          • Done

            Activity

              People

              Assignee:
              a10003 Eystein Maloy Stenberg
              Reporter:
              a10042 Nick Anderson
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: