[Puppet Users] Puppet custom functions and user permissions

Wed, 25 Nov 2009 11:14:59 -0800 

Puppet custom functions and user permissions

I am busy writing a custom function to automatically add OSSEC agents
to a OSSEC server after installation. Unfortunately, it seems that
puppetmasterd is not respecting the entries in /etc/group in linux. No
matter how many other groups the puppet user has been added to in /etc/
group, when puppetmasterd runs the custom function the effective/real
user always only has the puppet group.

An example:

module Puppet::Parser::Functions
  newfunction(:ossec_client_key, :type => :rvalue) do |args|
         # Check if key for the fqdn already exists
        fqdn = lookupvar('fqdn')
        ip = lookupvar('ipaddress')

        fout = File.open("/home/puppet/ossec_client_key.log", 'w')
        fout.puts "ossec_client_key executed with: " + fqdn + ":" + ip

        userid = `id`
        fout.puts "Shell commands run as: " + userid
        fout.puts "Ruby effective uid: " + Process.euid.to_s

        key = `cat /var/ossec/etc/client.keys | egrep #{fqdn}`
        fout.puts File.executable?("/var/ossec/contrib/ossec-batch-
manager.pl")
        fout.close

        # If it does not exist add the fqdn to ossec with ip
        if($? != 0)
         output = `/var/ossec/contrib/ossec-batch-manager.pl -a -n #{fqdn} -
ip #{ip}`
        end

        # Now extract the key for the fqdn from ossec
        agent_id = `cat /var/ossec/etc/client.keys | egrep #{fqdn} | awk
'{print $1}'`
        key = `/var/ossec/contrib/ossec-batch-manager.pl -e #{agent_id}`

        if($? != 0)
        raise Puppet::ParseError, "Could not retrieve key for:" + fqdn
        end


        return key
  end
end

Output in ossec_client_key.log:

Shell commands run as: uid=1004(puppet) gid=1002(puppet) groups=0
(root)
Ruby effective uid: 1004
false


When I run the same command directly via ruby using:

sudo -u puppet ruby ...

I get:

Shell commands run as: uid=1004(puppet) gid=1002(puppet) groups=1001
(ossec),1002(puppet)
Ruby effective uid: 1004
true


Is this a bug or intended behaviour? If it is intended behaviour can
anyone explain why?

Thanks

--

You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to