Puppet: System Administration Automated

Support

Ticket #804 (closed defect: wontfix)

Opened 1 year ago

Last modified 8 months ago

checks for maximum uid need to be removed

Reported by: zano0001 Assigned to: luke
Priority: normal Milestone: unplanned
Component: library Version: 0.23.1
Severity: normal Keywords: uid check
Cc: Triage Stage: Needs design decision
Attached Patches: None Complexity: Hard

Description

Using puppet 0.23.1 on RHEL 4.

In lib/puppet/type/pfile/owner.rb there are 2 checks for maximum uid, which prevent puppet from performing actions for users with uid higher than these. There are 2 different checks, each of which has a different value:

uid2name (line 12) has a check for "if id > 70000" - this prevented puppet from creating ssh keys for the users with uids > 70000

retrieve (line113) has the check for "if currentvalue > 120000" - this prevented puppet from changing the owner for users with uids > 120000, and reporting the "state is silly" when running puppetd --verbose -- onetime.

Change History

09/04/07 23:52:21 changed by michael

  • complexity changed from Unknown to Hard.
  • stage changed from Unreviewed to Needs design decision.
  • milestone set to misspiggy.

OSX allows negative uids (i.e. -2), which later become large unsigned ints. This is why there is a check for very large uids. A design decision needs to be made on how to handle this.

09/28/07 10:28:43 changed by DavidS

Ben <abnormaliti@clivepeeters.com.au> reports on the mailing list:

The following manifest is causing an error/warning and permissions are not set. i do not understanding why: 

   file {   "/diskless/swaps":
              ensure  => directory,
              owner   => nfsnobody,
              group   => nfsnobody,
              mode    => 1777;
        }

The error is: 

Fri Sep 21 14:53:05 EST 2007 //default/remote1/boot-server/File[/diskless/swaps]/owner (:warning): current state is silly: 4294967294
Fri Sep 21 14:53:05 EST 2007 //default/remote1/boot-server/File[/diskless/swaps]/owner (:notice): user 4294967294 does not exist

The user and group do exist: 

# grep nfsnobody /etc/passwd
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
# grep nfsnobody /etc/group
nfsnobody:x:4294967294:

The above problem was seen on a CentOS 5 x86_64.

The odd thing is that the very same manifest behaves as expected on a CentOS 5 i386 system. No complaints logged and permissions and mode are set correctly.

Both using puppet-0.23.2-1.el5

(follow-up: ↓ 4 ) 11/13/07 00:22:37 changed by DavidS

Debian etch does this too:

david@zion:~/Work/puppet/misspiggy/puppet-luke$ grep test /etc/passwd test:x:-3:1005:test:/home/test:/bin/bash david@zion:~/Work/puppet/misspiggy/puppet-luke$ getent passwd test test:x:4294967293:1005:test:/home/test:/bin/bash david@zion:~/Work/puppet/misspiggy/puppet-luke$

I Think the way to go forward on this is to munge incoming uids to unsigned int of the local architecture. This creates slightly unportable UIDs but on the other hand, useradd/groupadd do not accept negative values for uid/gid, so this could be disallowed completely too.

(in reply to: ↑ 3 ) 11/13/07 00:23:34 changed by DavidS 

david@zion:~/Work/puppet/misspiggy/puppet-luke$ grep ^test /etc/passwd
test:x:-3:1005:test:/home/test:/bin/bash
david@zion:~/Work/puppet/misspiggy/puppet-luke$ getent passwd test
test:x:4294967293:1005:test:/home/test:/bin/bash

getting late ...

11/24/07 00:04:06 changed by luke

  • milestone changed from misspiggy to unplanned.

I don't see an actual solution to this. I initially added the 'silly' things because the only thing I can really do here is fail -- if I try to write out the value that I get back from the system, I just get a failure. That is, Etc will tell me the value is some huge unsigned int, I try to write that out, and I get a failure.

I've patched this a bit in [56aad69f8cdf8b0b08fdb7985014986223fa4455], increasing the max value and making it tunable, but I can't find a way to fix this problem, so I'm delaying it.

01/19/08 20:52:42 changed by luke

  • status changed from new to closed.
  • resolution set to wontfix.

I think this is essentially unsurmountable at this point, and I'm closing the ticket unless someone can come up with an actual solution.

04/03/08 12:37:07 changed by jamtur01

Marking #1169 as duplicate.

04/08/08 17:39:19 changed by jamtur01

Mostly fixed in #1169.