Forum: CFEngine Help
Subject: spurious SETUID/SETGID warnings
Author: rgarner
Link to topic: https://cfengine.com/forum/read.php?3,23493,23493#msg-23493
I'm getting spurious warnings of the form
cf3> !! NEW SETGID root PROGRAM
when copying a new file. The promise looks like this:
"/usr/local/lib/connectivity.jar"
comment => "Connectivity jar file",
perms => m("440"),
copy_from => from_master("$(src)/usr/local/scu/lib/connectivity.jar"),
classes => if_repaired("scu_connect_restart");
body copy_from from_master(from)
{
source => "$(from)";
servers => { "$(g.policy_server)" };
compare => "digest";
copy_backup => "timestamp";
}
On a system where the file doesn't exist, I get log messages looking like
cf3> -> Handling file existence constraints on /usr/local/lib/connectivity.jar
cf3> -> Removing setgid (root) flag from /usr/local/lib/connectivity.jar...
cf3> ?> defining promise result class scu_connect_restart
cf3> !! NEW SETGID root PROGRAM /usr/local/lib/connectivity.jar
cf3> I: Report relates to a promise with handle ""
cf3> I: Made in version 'not specified' of
'/var/cfengine/inputs/srv_local_mgmt.cf' near line 34
cf3> I: Comment: Connectivity jar file
cf3> -> Object /usr/local/lib/connectivity.jar had permission 3320, changed it
to 440
cf3> ?> defining promise result class scu_connect_restart
cf3> -> Edited file /var/cfengine/cfagent.lp-ora1-rh.log
cf3> ?> defining promise result class scu_connect_restart
So for some reason, the file was created with mask 3320 (?!). On the policy
server the source file has mask 644.
This is in version cfengine-community-3.2.0-1.el5 (rhel5, x86_64 in case it's
relevant).
Is this a bug ? Can I configure around it ?
Robin Garner
Southern Cross University
Lismore, NSW, Australia
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
