diff --git a/CHANGELOG b/CHANGELOG index faeb77ef..cd679e8e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,7 @@ +* Thu Dec 16 2021 Chris Tessmer - 4.10.3 +- Fixed + - Permit root user to run `puppet lookup --compile` without borking passgen + * Thu Dec 16 2021 ke5C2Fin - 4.10.2 - Fixed - Call `klist -s` instead of `klist` to properly handle cache issues diff --git a/lib/puppet/functions/simplib/passgen/legacy/passgen.rb b/lib/puppet/functions/simplib/passgen/legacy/passgen.rb index 426e3766..b57e1578 100644 --- a/lib/puppet/functions/simplib/passgen/legacy/passgen.rb +++ b/lib/puppet/functions/simplib/passgen/legacy/passgen.rb @@ -27,10 +27,10 @@ # * `1` => Add reasonably safe symbols # * `2` => Printable ASCII # * `user` => user for generated files/directories - # * Defaults to the user compiling the catalog. + # * Defaults to the Puppet user. # * Only useful when running `puppet apply` as the `root` user. # * `group => Group for generated files/directories - # * Defaults to the group compiling the catalog. + # * Defaults to the Puppet user. # * Only useful when running `puppet apply` as the `root` user. # **private options:** # * `password` => contains the string representation of the password to hash (used for testing) @@ -61,8 +61,8 @@ def passgen(identifier, modifier_hash={}) scope = closure_scope settings = {} - settings['user'] = modifier_hash.key?('user') ? modifier_hash['user'] : Etc.getpwuid(Process.uid).name - settings['group'] = modifier_hash.key?('group') ? modifier_hash['group'] : Etc.getgrgid(Process.gid).name + settings['user'] = modifier_hash['user'] || Puppet.settings[:user] + settings['group'] = modifier_hash['group'] || Puppet.settings[:group] settings['keydir'] = File.join(Puppet.settings[:vardir], 'simp', 'environments', scope.lookupvar('::environment'), 'simp_autofiles', 'gen_passwd' @@ -321,13 +321,14 @@ def lockdown_stored_password_perms(settings) Find.find(settings['keydir']) do |file| file_stat = File.stat(file) - # Do we own this file? + # Does the Puppet user own this file? begin file_owner = Etc.getpwuid(file_stat.uid).name + file_group = Etc.getgrgid(file_stat.gid).name - unowned_files << file unless (file_owner == settings['user']) + unowned_files << file unless (file_owner == settings['user'] || file_group == settings['group'] ) rescue ArgumentError => e - debug("simplib::passgen: Error getting UID for #{file}: #{e}") + debug("simplib::passgen: Error getting UID/GID for #{file}: #{e}") unowned_files << file end @@ -335,9 +336,7 @@ def lockdown_stored_password_perms(settings) # Ignore any file/directory that we don't own Find.prune if unowned_files.last == file - FileUtils.chown(settings['user'], - settings['group'], file - ) + FileUtils.chown(settings['user'], settings['group'], file) file_mode = file_stat.mode desired_mode = symbolic_mode_to_int('u+rwX,g+rX,o-rwx',file_mode,File.directory?(file)) @@ -356,5 +355,4 @@ def lockdown_stored_password_perms(settings) fail(err_msg) end end -end -# vim: set expandtab ts=2 sw=2: +end \ No newline at end of file diff --git a/metadata.json b/metadata.json index fbad6818..ba97e207 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-simplib", - "version": "4.10.2", + "version": "4.10.3", "author": "SIMP Team", "summary": "A collection of common SIMP functions, facts, and types", "license": "Apache-2.0",