Description of problem: puppet needs the mode of /var/log/puppet to be 750 and /var/run/puppet to be 1755, the spec files installs these directories as 755. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Install puppet RPM, note directory modes 2. Run puppetd 3. run rpm --check puppet Actual results: Expected results: Additional info:
Reproducable in puppet-0.24.8-1.fc10
I think the proper solution for us it to avoid the 1777 mode on /var/run/puppet. We know that it's owned by puppet and that user will be present due to our packaging, so the 1777 really doesn't make sense for us, AFAICT. (Please correct me if I'm wrong!) I'll talk to upstream and see if we can't patch things in a way that works for all concerned and avoid resetting the mode on /var/run/puppet. If that's not possible, we can patch the puppet defaults.rb locally as a last resort. I think it's puppetmasterd that resets the mode on /var/log/puppet, as I couldn't reproduce this using only puppetd. But either way, tightening the permissions shouldn't cause any harm, so we can correct the spec file and not cause the rpm verification problem in the future.
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
We can actually describe the permissions we need on /var/run/puppet/ in the %files section, and in defaults.rb by just changing the default. I'm going to do that now, bearing in mind that we do need to contact upstream on whether install.rb can be fixed in this regard. I've set it to mode 0755 to enable 'other' users to read the pid file. Continuing this conversation upstream seems like the best thing to do right now, but let's not hold back our solution to this problem.
I have talked with upstream and I believe our best course of action is to patch the puppet defaults.rb to avoid setting such loose perms on /var/run/puppet. I've just been sidetracked with other things the past week or two and have not had time to follow up on this. Unless there is a rush, I'll work on finishing the small patch and adding it to rawhide in the next week. Upstream (well, Luke) is alright with this, as the reasons for setting 1777 perms on /var/run/puppet are a bit sticky (pun intended).
/me is doing this right now, using 0755 for /var/run/puppet/ by means of a tiny patch changing the default, so that we can continue talking to upstream about the exact right solution without as much pressure.
Good deal. Are you planning to also include something like this to fix the log dir? -install -d -m0755 %{buildroot}%{_localstatedir}/log/puppet +install -d -m0750 %{buildroot}%{_localstatedir}/log/puppet That looked cleaner to me than putting it in %files, but either way should work.
puppet-0.24.8-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/puppet-0.24.8-4.fc10
puppet-0.24.8-4.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/puppet-0.24.8-4.el5
puppet-0.24.8-4.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/puppet-0.24.8-4.fc11
puppet-0.24.8-4.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/puppet-0.24.8-4.el4
puppet-0.24.8-4.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2009-0262
puppet-0.24.8-4.el4 has been pushed to the Fedora EPEL 4 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2009-0253
puppet-0.24.8-4.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8477
puppet-0.24.8-4.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-8494
puppet-0.24.8-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
puppet-0.24.8-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
puppet-0.24.8-4.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
puppet-0.24.8-4.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.