Bug 495096 - puppet SPEC file defines improper modes for some directories
puppet SPEC file defines improper modes for some directories
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: puppet (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Todd Zullinger
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-09 14:11 EDT by Jim Pirzyk
Modified: 2009-09-12 13:53 EDT (History)
5 users (show)

See Also:
Fixed In Version: 0.24.8-4.el4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-11 19:24:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jim Pirzyk 2009-04-09 14:11:49 EDT
Description of problem:

puppet needs the mode of /var/log/puppet to be 750 and /var/run/puppet to be 1755, the spec files installs these directories as 755.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install puppet RPM, note directory modes
2. Run puppetd
3. run rpm --check puppet 
  
Actual results:


Expected results:


Additional info:
Comment 1 Till Maas 2009-05-27 11:03:23 EDT
Reproducable in puppet-0.24.8-1.fc10
Comment 2 Todd Zullinger 2009-05-29 11:59:58 EDT
I think the proper solution for us it to avoid the 1777 mode on /var/run/puppet.  We know that it's owned by puppet and that user will be present due to our packaging, so the 1777 really doesn't make sense for us, AFAICT.  (Please correct me if I'm wrong!)

I'll talk to upstream and see if we can't patch things in a way that works for all concerned and avoid resetting the mode on /var/run/puppet.  If that's not possible, we can patch the puppet defaults.rb locally as a last resort.

I think it's puppetmasterd that resets the mode on /var/log/puppet, as I couldn't reproduce this using only puppetd.  But either way, tightening the permissions shouldn't cause any harm, so we can correct the spec file and not cause the rpm verification problem in the future.
Comment 3 Bug Zapper 2009-06-09 09:33:50 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Jeroen van Meeuwen 2009-06-24 09:23:33 EDT
We can actually describe the permissions we need on /var/run/puppet/ in the %files section, and in defaults.rb by just changing the default.

I'm going to do that now, bearing in mind that we do need to contact upstream on whether install.rb can be fixed in this regard. I've set it to mode 0755 to enable 'other' users to read the pid file.

Continuing this conversation upstream seems like the best thing to do right now, but let's not hold back our solution to this problem.
Comment 5 Todd Zullinger 2009-06-24 09:38:19 EDT
I have talked with upstream and I believe our best course of action is to patch the puppet defaults.rb to avoid setting such loose perms on /var/run/puppet.  I've just been sidetracked with other things the past week or two and have not had time to follow up on this.  Unless there is a rush, I'll work on finishing the small patch and adding it to rawhide in the next week.  Upstream (well, Luke) is alright with this, as the reasons for setting 1777 perms on /var/run/puppet are a bit sticky (pun intended).
Comment 6 Jeroen van Meeuwen 2009-06-24 10:09:16 EDT
/me is doing this right now, using 0755 for /var/run/puppet/ by means of a tiny patch changing the default, so that we can continue talking to upstream about the exact right solution without as much pressure.
Comment 7 Todd Zullinger 2009-06-24 10:19:39 EDT
Good deal.  Are you planning to also include something like this to fix the log dir?

-install -d -m0755 %{buildroot}%{_localstatedir}/log/puppet
+install -d -m0750 %{buildroot}%{_localstatedir}/log/puppet

That looked cleaner to me than putting it in %files, but either way should work.
Comment 8 Fedora Update System 2009-08-10 11:04:12 EDT
puppet-0.24.8-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/puppet-0.24.8-4.fc10
Comment 9 Fedora Update System 2009-08-10 11:04:37 EDT
puppet-0.24.8-4.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/puppet-0.24.8-4.el5
Comment 10 Fedora Update System 2009-08-10 11:05:01 EDT
puppet-0.24.8-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/puppet-0.24.8-4.fc11
Comment 11 Fedora Update System 2009-08-10 11:05:26 EDT
puppet-0.24.8-4.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/puppet-0.24.8-4.el4
Comment 12 Fedora Update System 2009-08-11 16:36:55 EDT
puppet-0.24.8-4.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0262
Comment 13 Fedora Update System 2009-08-11 16:37:26 EDT
puppet-0.24.8-4.el4 has been pushed to the Fedora EPEL 4 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2009-0253
Comment 14 Fedora Update System 2009-08-11 18:33:53 EDT
puppet-0.24.8-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8477
Comment 15 Fedora Update System 2009-08-11 18:38:19 EDT
puppet-0.24.8-4.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update puppet'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-8494
Comment 16 Fedora Update System 2009-09-11 19:23:51 EDT
puppet-0.24.8-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2009-09-11 19:36:39 EDT
puppet-0.24.8-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2009-09-12 13:51:59 EDT
puppet-0.24.8-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2009-09-12 13:53:33 EDT
puppet-0.24.8-4.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.