The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #17876

Puppet changes directory permissions on log dir

Added by Ryan Uber over 3 years ago. Updated over 3 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:logging
Target version:-
Affected Puppet version:3.0.0 Branch:
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

No matter what the log_dir in puppet.conf is set to, any time puppet writes a log, the permissions on the directory are changed. This happens in Puppet >= 3.0. For example:

# grep logdir /etc/puppet/puppet.conf
    logdir = /var/log
# stat -c %A /var/log
drwxr-xr-x
# puppet apply --noop -e "file{'/tmp/test':content=>'$RANDOM';}"
/Stage[main]//File[/tmp/test]/ensure: current_value absent, should be file (noop)
Class[Main]: Would have triggered 'refresh' from 1 events
Stage[main]: Would have triggered 'refresh' from 1 events
Finished catalog run in 0.13 seconds
# stat -c %A /var/log
drwxr-x---

It does not matter what the permissions are before the puppet run. Puppet will force 750 on the logdir no matter what.

Here’s another example for good measure, where puppet grants more permissions than there was originally:

# stat -c %A /var/log
drwx------
# puppet apply --noop -e "file{'/tmp/test':content=>'$RANDOM';}"
/Stage[main]//File[/tmp/test]/ensure: current_value absent, should be file (noop)
Class[Main]: Would have triggered 'refresh' from 1 events
Stage[main]: Would have triggered 'refresh' from 1 events
Finished catalog run in 0.16 seconds
# stat -c %A /var/log
drwxr-x---

This causes multiple different types of problems. One example is when verifying RPM packages (see http://projects.puppetlabs.com/issues/17866).

It seems to me that as long as Puppet can write to the logdir, it shouldn’t care what the permissions are, and it should be up to the sysadmin to manage the permissions on that logdir.

puppet-dont-modify-logdir-perms.diff Magnifier (421 Bytes) Ryan Uber, 11/29/2012 07:00 pm

History

#1 Updated by Ryan Uber over 3 years ago

Attaching patch against git current (3222337b1fb81c94bfac1bd8b8e74c26af9b673f) I of course do not know what else removing the 0750 enforcement might affect, but logic would make me think probably nothing.

#2 Updated by Ryan Uber over 3 years ago

  • Assignee deleted (Ryan Uber)

#3 Updated by Dominic Cleal over 3 years ago

The idea is that Puppet manages its own dirs/files by default. You can turn it off with manage_internal_file_permissions or you can override individual settings with the curly brace puppet.conf syntax. Unfortunately the latter is broken in 3.x, see #17371.

Sounds like the related issue is a discrepancy between the default in the RPM and the app.

#4 Updated by Ryan Uber over 3 years ago

  • Status changed from Needs Decision to Closed

This sounds reasonable. Probably no further action required here. The RPM issue mentioned above has been resolved with a minor patch described in #17866.

Thanks.

Also available in: Atom PDF