Details
-
Type:
Bug
-
Status: Done
-
Priority:
High
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 3.7.3
-
Component/s: Promise type: files
-
Labels:None
Description
I am unable to setgid when I am also setting ownership to a non root user and group.
This worked on 3.6.2:
<pre>
bundle agent main
{
vars:
"users_and_groups" slist =>
;
users:
"$(users_and_groups)"
policy => "present",
comment => "Easy way to get users with groups named after them";
vars:
"ora_dirs" slist =>
;
files:
"/oracle/."
perms => mog("2755", "oracle", "dba"),
create => "true";
"/oracle/exports/."
perms => mog("2771", "oracle", "dbaoper"),
create => "true";
"/oracle/$(ora_dirs)/."
create => "true",
perms => mog("2750", "oracle", "dba");
"/oracle/archlogs/."
create => "true",
perms => mog("2770", "oracle", "dba");
"/oracle/dbatemp/."
create => "true",
perms => mog("2775", "oracle", "dba");
"/oracle/dba/."
create => "true",
perms => mog("2751", "oracle", "dba");
}
</pre>
<pre>
[root@hub masterfiles]# cf-agent -V
CFEngine Core 3.6.2
CFEngine Enterprise 3.6.2
[root@hub masterfiles]# cf-agent -KIf ./promises.cf -b main
2016-03-16T13:37:28+0000 info: Using command line specified bundlesequence
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/.'[0]: Created directory '/oracle/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/.'[0]: Owner of '/oracle' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/.'[0]: Group of '/oracle' was 0, setting to 502
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/.'[0]: Object '/oracle' had permission 0755, changed it to 2755
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/exports/.'[0]: Created directory '/oracle/exports/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/exports/.'[0]: Owner of '/oracle/exports' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/exports/.'[0]: Group of '/oracle/exports' was 502, setting to 503
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/exports/.'[0]: Object '/oracle/exports' had permission 2755, changed it to 2771
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs1/.'[0]: Created directory '/oracle/dbs1/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs1/.'[0]: Owner of '/oracle/dbs1' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs1/.'[0]: Object '/oracle/dbs1' had permission 2755, changed it to 2750
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs2/.'[1]: Created directory '/oracle/dbs2/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs2/.'[1]: Owner of '/oracle/dbs2' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs2/.'[1]: Object '/oracle/dbs2' had permission 2755, changed it to 2750
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs3/.'[2]: Created directory '/oracle/dbs3/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs3/.'[2]: Owner of '/oracle/dbs3' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs3/.'[2]: Object '/oracle/dbs3' had permission 2755, changed it to 2750
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs4/.'[3]: Created directory '/oracle/dbs4/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs4/.'[3]: Owner of '/oracle/dbs4' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs4/.'[3]: Object '/oracle/dbs4' had permission 2755, changed it to 2750
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs5/.'[4]: Created directory '/oracle/dbs5/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs5/.'[4]: Owner of '/oracle/dbs5' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs5/.'[4]: Object '/oracle/dbs5' had permission 2755, changed it to 2750
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs6/.'[5]: Created directory '/oracle/dbs6/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs6/.'[5]: Owner of '/oracle/dbs6' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbs6/.'[5]: Object '/oracle/dbs6' had permission 2755, changed it to 2750
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/rman/.'[6]: Created directory '/oracle/rman/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/rman/.'[6]: Owner of '/oracle/rman' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/rman/.'[6]: Object '/oracle/rman' had permission 2755, changed it to 2750
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/shared/.'[7]: Created directory '/oracle/shared/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/shared/.'[7]: Owner of '/oracle/shared' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/shared/.'[7]: Object '/oracle/shared' had permission 2755, changed it to 2750
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/archlogs/.'[0]: Created directory '/oracle/archlogs/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/archlogs/.'[0]: Owner of '/oracle/archlogs' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/archlogs/.'[0]: Object '/oracle/archlogs' had permission 2755, changed it to 2770
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbatemp/.'[0]: Created directory '/oracle/dbatemp/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbatemp/.'[0]: Owner of '/oracle/dbatemp' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dbatemp/.'[0]: Object '/oracle/dbatemp' had permission 2755, changed it to 2775
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dba/.'[0]: Created directory '/oracle/dba/.'
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dba/.'[0]: Owner of '/oracle/dba' was 0, setting to 501
2016-03-16T13:37:28+0000 info: /default/main/files/'/oracle/dba/.'[0]: Object '/oracle/dba' had permission 2755, changed it to 2751
[root@hub masterfiles]# stat -c "%a %n" /oracle
2755 /oracle
[root@hub masterfiles]# stat -c "%a %n" /oracle/*
2770 /oracle/archlogs
2751 /oracle/dba
2775 /oracle/dbatemp
2750 /oracle/dbs1
2750 /oracle/dbs2
2750 /oracle/dbs3
2750 /oracle/dbs4
2750 /oracle/dbs5
2750 /oracle/dbs6
2771 /oracle/exports
2750 /oracle/rman
2750 /oracle/shared
</pre>
But on 3.7.2 it fails to setgid:
<pre>
[root@hub masterfiles]# cf-agent -V
CFEngine Core 3.7.2
CFEngine Enterprise 3.7.2
[root@hub masterfiles]# cf-agent -KIf ./promises.cf -b main
info: Using command line specified bundlesequence
info: User promise repaired
info: User promise repaired
info: User promise repaired
info: Created directory '/oracle/.'
info: Owner of '/oracle' was 0, setting to 501
info: Group of '/oracle' was 0, setting to 502
info: Object '/oracle' had permission 0755, changed it to 2755
info: Created directory '/oracle/exports/.'
info: Owner of '/oracle/exports' was 0, setting to 501
info: Group of '/oracle/exports' was 0, setting to 503
info: Object '/oracle/exports' had permission 0755, changed it to 2771
info: Created directory '/oracle/dbs1/.'
info: Owner of '/oracle/dbs1' was 0, setting to 501
info: Group of '/oracle/dbs1' was 0, setting to 502
info: Object '/oracle/dbs1' had permission 0755, changed it to 2750
info: Created directory '/oracle/dbs2/.'
info: Owner of '/oracle/dbs2' was 0, setting to 501
info: Group of '/oracle/dbs2' was 0, setting to 502
info: Object '/oracle/dbs2' had permission 0755, changed it to 2750
info: Created directory '/oracle/dbs3/.'
info: Owner of '/oracle/dbs3' was 0, setting to 501
info: Group of '/oracle/dbs3' was 0, setting to 502
info: Object '/oracle/dbs3' had permission 0755, changed it to 2750
info: Created directory '/oracle/dbs4/.'
info: Owner of '/oracle/dbs4' was 0, setting to 501
info: Group of '/oracle/dbs4' was 0, setting to 502
info: Object '/oracle/dbs4' had permission 0755, changed it to 2750
info: Created directory '/oracle/dbs5/.'
info: Owner of '/oracle/dbs5' was 0, setting to 501
info: Group of '/oracle/dbs5' was 0, setting to 502
info: Object '/oracle/dbs5' had permission 0755, changed it to 2750
info: Created directory '/oracle/dbs6/.'
info: Owner of '/oracle/dbs6' was 0, setting to 501
info: Group of '/oracle/dbs6' was 0, setting to 502
info: Object '/oracle/dbs6' had permission 0755, changed it to 2750
info: Created directory '/oracle/rman/.'
info: Owner of '/oracle/rman' was 0, setting to 501
info: Group of '/oracle/rman' was 0, setting to 502
info: Object '/oracle/rman' had permission 0755, changed it to 2750
info: Created directory '/oracle/shared/.'
info: Owner of '/oracle/shared' was 0, setting to 501
info: Group of '/oracle/shared' was 0, setting to 502
info: Object '/oracle/shared' had permission 0755, changed it to 2750
info: Created directory '/oracle/archlogs/.'
info: Owner of '/oracle/archlogs' was 0, setting to 501
info: Group of '/oracle/archlogs' was 0, setting to 502
info: Object '/oracle/archlogs' had permission 0755, changed it to 2770
info: Created directory '/oracle/dbatemp/.'
info: Owner of '/oracle/dbatemp' was 0, setting to 501
info: Group of '/oracle/dbatemp' was 0, setting to 502
info: Object '/oracle/dbatemp' had permission 0755, changed it to 2775
info: Created directory '/oracle/dba/.'
info: Owner of '/oracle/dba' was 0, setting to 501
info: Group of '/oracle/dba' was 0, setting to 502
info: Object '/oracle/dba' had permission 0755, changed it to 2751
[root@hub masterfiles]#
[root@hub masterfiles]# stat -c "%a %n" /oracle
755 /oracle
[root@hub masterfiles]# stat -c "%a %n" /oracle/*
770 /oracle/archlogs
751 /oracle/dba
775 /oracle/dbatemp
750 /oracle/dbs1
750 /oracle/dbs2
750 /oracle/dbs3
750 /oracle/dbs4
750 /oracle/dbs5
750 /oracle/dbs6
771 /oracle/exports
750 /oracle/rman
750 /oracle/shared
</pre>
Attachments
Issue Links
- relates to
-
CFE-2222 Applying permissions recursively on a directory can fail with 'Permission denied' in 3.7.2
-
- Done
-