New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chef/provider/apt_repository.rb is creating temporary files as root in the running user home directory #8007

Open
omry opened this Issue Dec 1, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@omry

omry commented Dec 1, 2018

Description

  1. lib/chef/provider/apt_repository.rb is using gpg to verify keys when installing a new repo
  2. gpg by default is creating temporary file in the user home directory (if you use sudo chef-client, chef will create files in your home directory as root).
  3. for users with nfs mounted home directory with root squash (very common setup), gpg will fail to create the temp file and the chef run will fail.

A proposed fix is to change
verify "gpg %{path}"
to
verify "gpg --homedir /tmp/ %{path}"

in chef/provider/apt_repository.rb

Output proving it works:

omry@robodev001:~/opsfiles/chef/cookbooks/ros (master)$ sudo gpg  /var/chef/cache/https___raw_githubusercontent_com_ros_rosdistro_master_ros_key
gpg: failed to create temporary file `/nfs/home/omry/.gnupg/.#lk0x783310.robodev001.robots.thefacebook.com.39807': Permission denied
gpg: keyblock resource `/nfs/home/omry/.gnupg/secring.gpg': general error
gpg: failed to create temporary file `/nfs/home/omry/.gnupg/.#lk0x783820.robodev001.robots.thefacebook.com.39807': Permission denied
gpg: keyblock resource `/nfs/home/omry/.gnupg/pubring.gpg': general error
pub  1024D/B01FA116 2009-12-24 ROS Builder <rosbuild@ros.org>
sub  2048g/8F3611A0 2009-12-24
2 omry@robodev001:~/opsfiles/chef/cookbooks/ros (master)$ echo $?
2
omry@robodev001:~/opsfiles/chef/cookbooks/ros (master)$ sudo gpg --homedir /tmp/  /var/chef/cache/https___raw_githubusercontent_com_ros_rosdistro_master_ros_key
gpg: WARNING: unsafe permissions on homedir `/tmp/'
pub  1024D/B01FA116 2009-12-24 ROS Builder <rosbuild@ros.org>
sub  2048g/8F3611A0 2009-12-24
omry@robodev001:~/opsfiles/chef/cookbooks/ros (master)$ echo $?
0

Chef Version

$ chef -v
Chef Development Kit Version: 3.5.13
chef-client version: 14.7.17
delivery version: master (6862f27aba89109a9630f0b6c6798efec56b4efe)
berks version: 7.0.6
kitchen version: 1.23.2
inspec version: 3.0.52

Platform Version

Ubuntu 16.04

Replication Case

Create an apt repository with a key from a url:

  apt_repository("ros") do
    action [:add]
    default_guard_interpreter :default
    declared_type :apt_repository
    cookbook_name "ros"
    uri "http://packages.ros.org/ros/ubuntu"
    distribution "xenial"
    components ["main"]
    key ["https://raw.githubusercontent.com/ros/rosdistro/master/ros.key"]
    repo_name "ros"
  end

Client Output

http://paste.ubuntu.com/p/HDcN3gFGcZ/

Stacktrace

http://paste.ubuntu.com/p/DPqwRNQ8gW/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment