(#14283) Fix suntab and aixtab when run as unprivileged user

lib/puppet/util/filetype.rb

@@ -19,12 +19,10 @@ class << self
   def self.newfiletype(name, &block)
     @filetypes ||= {}
 
-
-          klass = genclass(
-        name,
+    klass = genclass(
+      name,
       :block => block,
       :prefix => "FileType",
-
       :hash => @filetypes
     )
 
@@ -81,6 +79,17 @@ def initialize(path)
     @path = path
   end
 
+  # Arguments that will be passed to the execute method. Will set the uid
+  # to the target user if the target user and the current user are not
+  # the same
+  def cronargs
+    if uid = Puppet::Util.uid(@path) and uid == Puppet::Util::SUIDManager.uid
+      {:failonfail => true, :combine => true}
+    else
+      {:failonfail => true, :combine => true, :uid => @path}
+    end
+  end
+
   # Operate on plain files.
   newfiletype(:flat) do
     # Back the file up before replacing it.
@@ -155,7 +164,7 @@ def path=(user)
       begin
         @uid = Puppet::Util.uid(user)
       rescue Puppet::Error => detail
-        raise Puppet::Error, "Could not retrieve user #{user}"
+        raise Puppet::Error, "Could not retrieve user #{user}: #{detail}", detail.backtrace
       end
 
       # XXX We have to have the user name, not the uid, because some
@@ -204,77 +213,83 @@ def cmdbase
   newfiletype(:suntab) do
     # Read a specific @path's cron tab.
     def read
-        output = Puppet::Util.execute(%w{crontab -l}, :uid => @path)
-        return "" if output.include?("can't open your crontab")
-        raise Puppet::Error, "User #{@path} not authorized to use cron" if output.include?("you are not authorized to use cron")
-        return output
+      Puppet::Util.execute(%w{crontab -l}, cronargs)
     rescue => detail
-        raise Puppet::Error, "Could not read crontab for #{@path}: #{detail}"
+      case detail.to_s
+      when /can't open your crontab/
+        return ""
+      when /you are not authorized to use cron/
+        raise Puppet::Error, "User #{@path} not authorized to use cron", detail.backtrace
+      else
+        raise Puppet::Error, "Could not read crontab for #{@path}: #{detail}", detail.backtrace
+      end
     end
 
     # Remove a specific @path's cron tab.
     def remove
-        Puppet::Util.execute(%w{crontab -r}, :uid => @path)
+      Puppet::Util.execute(%w{crontab -r}, cronargs)
     rescue => detail
-        raise Puppet::Error, "Could not remove crontab for #{@path}: #{detail}"
+      raise Puppet::Error, "Could not remove crontab for #{@path}: #{detail}", detail.backtrace
     end
 
     # Overwrite a specific @path's cron tab; must be passed the @path name
     # and the text with which to create the cron tab.
     def write(text)
-      puts text
-      output_file = Tempfile.new("puppet")
-      fh = output_file.open
-      fh.print text
-      fh.close
-
-      # We have to chown the stupid file to the user.
-      File.chown(Puppet::Util.uid(@path), nil, output_file.path)
-
+      output_file = Tempfile.new("puppet_suntab")
       begin
-        Puppet::Util.execute(["crontab", output_file.path], :uid => @path)
+        output_file.print text
+        output_file.close
+        # We have to chown the stupid file to the user.
+        File.chown(Puppet::Util.uid(@path), nil, output_file.path)
+        Puppet::Util.execute(["crontab", output_file.path], cronargs)
       rescue => detail
-        raise Puppet::Error, "Could not write crontab for #{@path}: #{detail}"
+        raise Puppet::Error, "Could not write crontab for #{@path}: #{detail}", detail.backtrace
+      ensure
+        output_file.close
+        output_file.unlink
       end
-      output_file.delete
     end
   end
 
   #  Support for AIX crontab with output different than suntab's crontab command.
   newfiletype(:aixtab) do
     # Read a specific @path's cron tab.
     def read
-        output = Puppet::Util.execute(%w{crontab -l}, :uid => @path)
-        raise Puppet::Error, "User #{@path} not authorized to use cron" if output.include?("You are not authorized to use the cron command")
-        return output
+      Puppet::Util.execute(%w{crontab -l}, cronargs)
     rescue => detail
-        raise Puppet::Error, "Could not read crontab for #{@path}: #{detail}"
+      case detail.to_s
+      when /Cannot open a file in the .* directory/
+        return ""
+      when /You are not authorized to use the cron command/
+        raise Puppet::Error, "User #{@path} not authorized to use cron", detail.backtrace
+      else
+        raise Puppet::Error, "Could not read crontab for #{@path}: #{detail}", detail.backtrace
+      end
     end
 
     # Remove a specific @path's cron tab.
     def remove
-        Puppet::Util.execute(%w{crontab -r}, :uid => @path)
+      Puppet::Util.execute(%w{crontab -r}, cronargs)
     rescue => detail
-        raise Puppet::Error, "Could not remove crontab for #{@path}: #{detail}"
+      raise Puppet::Error, "Could not remove crontab for #{@path}: #{detail}", detail.backtrace
     end
 
     # Overwrite a specific @path's cron tab; must be passed the @path name
     # and the text with which to create the cron tab.
     def write(text)
-      output_file = Tempfile.new("puppet")
-      fh = output_file.open
-      fh.print text
-      fh.close
-
-      # We have to chown the stupid file to the user.
-      File.chown(Puppet::Util.uid(@path), nil, output_file.path)
+      output_file = Tempfile.new("puppet_aixtab")
 
       begin
-        Puppet::Util.execute(["crontab", output_file.path], :uid => @path)
+        output_file.print text
+        output_file.close
+        # We have to chown the stupid file to the user.
+        File.chown(Puppet::Util.uid(@path), nil, output_file.path)
+        Puppet::Util.execute(["crontab", output_file.path], cronargs)
       rescue => detail
-        raise Puppet::Error, "Could not write crontab for #{@path}: #{detail}"
+        raise Puppet::Error, "Could not write crontab for #{@path}: #{detail}", detail.backtrace
       ensure
-        output_file.delete
+        output_file.close
+        output_file.unlink
       end
     end
   end

spec/fixtures/unit/util/filetype/aixtab_output

@@ -0,0 +1,44 @@
+# @(#)08        1.15.1.3  src/bos/usr/sbin/cron/root, cmdcntl, bos530 2/11/94 17:19:47
+# IBM_PROLOG_BEGIN_TAG 
+# This is an automatically generated prolog. 
+#  
+# bos530 src/bos/usr/sbin/cron/root 1.15.1.3 
+#  
+# Licensed Materials - Property of IBM 
+#  
+# (C) COPYRIGHT International Business Machines Corp. 1989,1994 
+# All Rights Reserved 
+#  
+# US Government Users Restricted Rights - Use, duplication or 
+# disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 
+#  
+# IBM_PROLOG_END_TAG 
+#
+# COMPONENT_NAME: (CMDCNTL) commands needed for basic system needs
+#
+# FUNCTIONS: 
+#
+# ORIGINS: 27
+#
+# (C) COPYRIGHT International Business Machines Corp. 1989,1994
+# All Rights Reserved
+# Licensed Materials - Property of IBM
+#
+# US Government Users Restricted Rights - Use, duplication or
+# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
+#
+#0 3 * * * /usr/sbin/skulker
+#45 2 * * 0 /usr/lib/spell/compress
+#45 23 * * * ulimit 5000; /usr/lib/smdemon.cleanu > /dev/null
+0 11 * * * /usr/bin/errclear -d S,O 30
+0 12 * * * /usr/bin/errclear -d H 90
+0 15 * * *  /usr/lib/ras/dumpcheck >/dev/null 2>&1
+# SSA warning : Deleting the next two lines may cause errors in redundant
+# SSA warning : hardware to go undetected.
+01 5 * * * /usr/lpp/diagnostics/bin/run_ssa_ela 1>/dev/null 2>/dev/null
+0 * * * * /usr/lpp/diagnostics/bin/run_ssa_healthcheck 1>/dev/null 2>/dev/null
+# SSA warning : Deleting the next line may allow enclosure hardware errors to go undetected
+30 * * * * /usr/lpp/diagnostics/bin/run_ssa_encl_healthcheck 1>/dev/null 2>/dev/null
+# SSA warning : Deleting the next line may allow link speed exceptions to go undetected
+30 4 * * * /usr/lpp/diagnostics/bin/run_ssa_link_speed 1>/dev/null 2>/dev/null
+55 23 * * * /var/perf/pm/bin/pmcfg >/dev/null 2>&1      #Enable PM Data Collection

spec/fixtures/unit/util/filetype/suntab_output

@@ -0,0 +1,9 @@
+#ident  "@(#)root       1.19    98/07/06 SMI"   /* SVr4.0 1.1.3.1       */
+#
+# The root crontab should be used to perform accounting data collection.
+#
+#
+10 3 * * * /usr/sbin/logadm
+15 3 * * 0 /usr/lib/fs/nfs/nfsfind
+30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
+#10 3 * * * /usr/lib/krb5/kprop_script ___slave_kdcs___