Bug #5632
closedPermissions may be applied recursively even if not asked to by "filesPermissions" Technique
Description
We made a sanity technique that should employ basic parameters like correct permissions on most critical files/directories.
This technique is attached.
No directories there are configured to be recursed.
It starts being processed at / and the proceeds to /var. when processing /var it switches recursion on.
technique was updated to 1.1, no change.
I'll update with more info, but the basic thing is:
the permlist sets recursion = no.
Not sure how it gets overridden.
Files
Updated by Florian Heigl over 9 years ago
In verbose mode I was able to single out this message:
/default/files_permissions/methods/'any'/default/check_permissions/classes/'edit_recurse'[0]: Adding local bundle class 'edit_recurse'
The same did not happen for the directory / before this one, nor, as far as I could see for the next one.
I'll prepare some smart'ly grepped log to give info on this.
As far as I can see the whole of /inputs contains no deeply confidential info, so I can provide that via mail.
Updated by Florian Heigl over 9 years ago
Amazingly this does not happen in tiny home lab, only in big other lab.
Both SLES & technique version 1.1, but also a few differences. Not sure if i can i.e. transfer the cfengine folder and test on the currently fine system?
Updated by Florian Heigl over 9 years ago
Output showing the actual behaviour:
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'file_exists'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes/'file_exists'[0]: Adding local bundle class 'file_exists'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'user_absent'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'group_absent'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'edit_owner'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes/'edit_owner'[0]: Adding local bundle class 'edit_owner'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'edit_group'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes/'edit_group'[0]: Adding local bundle class 'edit_group'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'edit_mode'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes/'edit_mode'[0]: Adding local bundle class 'edit_mode'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'edit_recurse'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes/'edit_recurse'[0]: Adding local bundle class 'edit_recurse'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'enable_suid'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'enable_sgid'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'is_symlink'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'classes_defined'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes/'classes_defined'[0]: Adding local bundle class 'classes_defined'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes: Evaluating promise 'can_edit_suid_sgid'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/classes/'can_edit_suid_sgid'[0]: Adding local bundle class 'can_edit_suid_sgid'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/vars: Evaluating promise 'identifier'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/vars: Evaluating promise 'extended_modes'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/vars: Skipping next promise 'extended_modes', as context 'classes_defined.enable_suid.!enable_sgid' is not relevant
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/vars: Evaluating promise 'extended_modes'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/vars: Skipping next promise 'extended_modes', as context 'classes_defined.!enable_suid.enable_sgid' is not relevant
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/vars: Evaluating promise 'extended_modes'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/vars: Skipping next promise 'extended_modes', as context 'classes_defined.enable_suid.enable_sgid' is not relevant
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/vars: Evaluating promise 'extended_modes'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions: Private classes augmented: file_exists edit_owner edit_group edit_recurse classes_defined edit_mode can_edit_suid_sgid
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files: Evaluating promise '${fileName}'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files: Skipping next promise '${fileName}', as context 'file_exists.edit_owner.!user_absent.!edit_recurse.!is_symlink' is not re
levant
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files: Evaluating promise '${fileName}'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files: Skipping next promise '${fileName}', as context 'file_exists.edit_group.!group_absent.!edit_recurse.!is_symlink' is not r
elevant
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files: Evaluating promise '${fileName}'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files: Skipping next promise '${fileName}', as context 'can_edit_suid_sgid.file_exists.edit_mode.!edit_recurse.!is_symlink' is n
ot relevant
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files: Evaluating promise '${fileName}'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files/'/var'[0]: Comment 'Setting the file owner'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files/'/var'[0]: Using literal pathtype for '/var'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files/'/var'[0]: Handling file existence constraints on '/var'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files/'/var'[0]: Additional promise info: source path '/var/rudder/cfengine-community/inputs/filesPermissions/1.1/filesPermissio
ns.cf' at line 136 comment 'Setting the file owner'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files/'/var'[0]: File permissions on '/var' as promised
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files/'/var'[0]: Defining promise result class 'b2117b05_0ae1_491a_b27f_96096f776785__d085c4f1_7bc8_4c6d_9fd0_1ac1a442f00f__15_v
ar_owner_ok'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files/'/var'[0]: Entering '/var/tmp', level 0
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files/'/var'[0]: Handling file existence constraints on '/var/tmp/openscap-_REDACTED_BY_FLO.x86_64.rpm'
2014-10-09T22:31:10+0200 verbose: /default/files_permissions/methods/'any'/default/check_permissions/files/'/var'[0]: Additional promise info: source path '/var/rudder/cfengine-community/inputs/filesPermissions/1.1/filesPermissio
ns.cf' at line 136 comment 'Setting the file owner'
Updated by Florian Heigl over 9 years ago
I disabled this directive (COREOS_Dirs) and the error messages are not coming anymore, so problem seems to be someone around here.
The parallel COREOS_Files is still active and working fine.
Updated by Nicolas CHARLES over 9 years ago
There is indeed something odd going on there.
Could you confirm the version of the rudder-agent you are using, both at your tiny home lab and big lab ?
Could you also try with the latest nightly of rudder-agent 2.11 ? We fixed something that may be related, in promises evaluation
Updated by Florian Heigl over 9 years ago
Versions where i have it happening:
rudder-agent-2.11.2.release-1.SLES.11 sles11sp2
sles11sp2
rudder-agent-2.12.0.alpha1.git201409220505-1.SLES.11
Versions where I don't have it happening:
rudder-agent-2.11.3.release-1.SLES.11 @ sles11sp3
Will update agent to requested version next.
Updated by Florian Heigl over 9 years ago
Tested installing the following agent:
On tiny lab sles11sp3:- zypper install rudder-agent-2.11.3.release-1.SLES.11.x86_64.rpm
Segmentation fault
- zypper install rudder-agent-2.11.3.release-1.SLES.11.x86_64.rpm
Segmentation fault (core dumped)
Updated by Florian Heigl over 9 years ago
Disabling all other directives made the problem go away. I'll re-enable them one by one.
@Inventory@
R: result_success
@inventory-all@inventory-all
@6@inventory
@None@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4
#Next inventory scheduled between 00:00 and 06:00
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Owner root already matches current owner for: /
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Group root already matches current group for: /
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Mode 0755 already matches current mode for: /
R: @FilesPermissions
@result_success@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Owner, group and permissions already correct for /
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/boot/
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Owner root already matches current owner for: /boot/
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/boot/
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Group root already matches current group for: /boot/
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/boot/
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Mode 0755 already matches current mode for: /boot/
R: @FilesPermissions
@result_success@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/boot/
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Owner, group and permissions already correct for /boot/
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/var
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Owner root already matches current owner for: /var
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/var
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Group root already matches current group for: /var
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/var
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Mode 0755 already matches current mode for: /var
R: @FilesPermissions
@result_success@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/var
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Owner, group and permissions already correct for /var
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/var/lib
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Owner root already matches current owner for: /var/lib
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/var/lib
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Group root already matches current group for: /var/lib
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/var/lib
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Mode 0755 already matches current mode for: /var/lib
R: @FilesPermissions
@result_success@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/var/lib
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Owner, group and permissions already correct for /var/lib
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/boot/grub
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Owner root already matches current owner for: /boot/grub
R: @FilesPermissions
@log_info@b2117b05-0ae1-491a-b27f-96096f776785
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@22
@File permissions@/boot/grub
@2014-10-11 13:36:18+00:00##1b724ab4-d066-467b-8aaf-c2fe2c8ca6b4@#Group root already matches current group for: /boot/grub
@
In my understanding, in RFC speak, correct???? that:
another directive SHOULD NOT be able to overlap this one's behaviour.
Updated by Florian Heigl over 9 years ago
It is triggered as soon as i "Enable" the second instance of this technique.
A directive called T_COREOS_File_permissions.
permlist if disabled:
@- policyIsntanceId:file:user:group:mode:edituser:editgroup:editmode:suid:sgid:recursion
b2117b05-0ae1-491a-b27f-96096f776785@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f
@24:/:root:root:755:true:true:true:false:false:false
b2117b05-0ae1-491a-b27f-96096f776785@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f
@24:/var:root:root:755:true:true:true:false:false:false
b2117b05-0ae1-491a-b27f-96096f776785@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f
@24:/var/lib:root:root:755:true:true:true:false:false:false
b2117b05-0ae1-491a-b27f-96096f776785@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f
@24:/boot/:root:root:755:true:true:true:false:false:false
b2117b05-0ae1-491a-b27f-96096f776785@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f
@24:/boot/grub:root:root:755:true:true:true:false:false:false
@
permlist if enabled:
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@
b2117b05-0ae1-491a-b27f-96096f77678525:/:root:root:755:true:true:true:false:false:false
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@
b2117b05-0ae1-491a-b27f-96096f77678525:/var:root:root:755:true:true:true:false:false:false
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@
b2117b05-0ae1-491a-b27f-96096f77678525:/var/lib:root:root:755:true:true:true:false:false:false
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@
b2117b05-0ae1-491a-b27f-96096f77678525:/boot/:root:root:755:true:true:true:false:false:false
@d085c4f1-7bc8-4c6d-9fd0-1ac1a442f00f@
b2117b05-0ae1-491a-b27f-96096f77678525:/boot/grub:root:root:755:true:true:true:false:false:false
@da15f5d5-a0d5-4a70-b67c-f4e3067fcc02@
b2117b05-0ae1-491a-b27f-96096f77678525:/etc/resolv.conf:root:root:644:true:true:true:false:false:false
@da15f5d5-a0d5-4a70-b67c-f4e3067fcc02@
b2117b05-0ae1-491a-b27f-96096f77678525:/etc/nsswitch.conf:root:root:644:true:true:true:false:false:false
@da15f5d5-a0d5-4a70-b67c-f4e3067fcc02@
b2117b05-0ae1-491a-b27f-96096f77678525:/etc/passwd:root:root:644:true:true:true:false:false:false
@da15f5d5-a0d5-4a70-b67c-f4e3067fcc02@
b2117b05-0ae1-491a-b27f-96096f77678525:/etc/shadow:root:shadow:640:true:true:true:false:false:false
@da15f5d5-a0d5-4a70-b67c-f4e3067fcc02@
b2117b05-0ae1-491a-b27f-96096f77678525:/etc/fstab:root:root:644:true:true:true:false:false:false
@da15f5d5-a0d5-4a70-b67c-f4e3067fcc02@
b2117b05-0ae1-491a-b27f-96096f77678525:/etc/group:root:root:644:true:true:true:false:false:false
@da15f5d5-a0d5-4a70-b67c-f4e3067fcc02@
b2117b05-0ae1-491a-b27f-96096f77678525:/etc/grub.conf:root:root:600:true:true:true:false:false:false
@da15f5d5-a0d5-4a70-b67c-f4e3067fcc02@
b2117b05-0ae1-491a-b27f-96096f77678525:/etc/hosts:root:root:644:true:true:true:false:false:false
@da15f5d5-a0d5-4a70-b67c-f4e3067fcc02@
b2117b05-0ae1-491a-b27f-96096f77678525:/etc/services:root:root:644:true:true:true:false:false:false
@da15f5d5-a0d5-4a70-b67c-f4e3067fcc02@
b2117b05-0ae1-491a-b27f-96096f77678525:/etc/ssh/sshd_config:root:root:640:true:true:true:false:false:false
I don't see a missing field in there on first glance.
All edit_recurse settings continue to be "false".
Updated by François ARMAND over 9 years ago
- Category set to Techniques
- Status changed from New to 8
- Assignee set to Nicolas CHARLES
- Priority changed from N/A to 1
- Target version set to 2.11.4
Thank you so much for minimizing that one.
Nico, could you look to that ?
Updated by Nicolas CHARLES over 9 years ago
Thank you for the detailed bug report, i'm digging into it.
Updated by Nicolas CHARLES over 9 years ago
Ok, I managed to reproduce it
The suid and recursion is not correctly passed, only for /var entry.
I have so far no idea why
Updated by Nicolas CHARLES over 9 years ago
I've opened a bug on CFengine bugtracker
https://dev.cfengine.com/issues/6674
Updated by Nicolas CHARLES over 9 years ago
- Status changed from 8 to Pending technical review
- Assignee changed from Nicolas CHARLES to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/537
PR is available there
https://github.com/Normation/rudder-techniques/pull/537
Benoit, could you have a look at it ?
thanks
Updated by Nicolas CHARLES over 9 years ago
This bug is quite important, could you review it ?
Updated by Benoît PECCATTE over 9 years ago
- Status changed from Pending technical review to Discussion
- Assignee changed from Benoît PECCATTE to Nicolas CHARLES
Updated by Nicolas CHARLES over 9 years ago
- Status changed from Discussion to Pending technical review
- Assignee changed from Nicolas CHARLES to Benoît PECCATTE
- Pull Request changed from https://github.com/Normation/rudder-techniques/pull/537 to https://github.com/Normation/rudder-techniques/pull/553
Updated by Nicolas CHARLES over 9 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset policy-templates:commit:8cec663a04bc21eb626d17dad83e27ddec5b0433.
Updated by Benoît PECCATTE over 9 years ago
Applied in changeset policy-templates:commit:8a8b758fc280b57a55d05abe5f5fc944fded27d4.
Updated by Vincent MEMBRÉ over 9 years ago
- Subject changed from filesPermissions recursion applied although not configured to permissions may be applied recursively even if not asked to by "filesPermissions" Technique
Updated by Vincent MEMBRÉ over 9 years ago
- Subject changed from permissions may be applied recursively even if not asked to by "filesPermissions" Technique to Permissions may be applied recursively even if not asked to by "filesPermissions" Technique
- Target version changed from 2.11.4 to 2.6.19
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending release to Released