(MODULES-9578) Create ssh_authorized_key in root path #20
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
3 times, most recently
from
0028eac
to
4eb9141
Compare
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
3 times, most recently
from
54db0bb
to
baba7be
Compare
|
Acceptance tests are passing: |
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
from
baba7be
to
f95ddad
Compare
pillarsdotnet
approved these changes
Aug 13, 2019
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
from
f95ddad
to
51f191a
Compare
joshcooper
requested changes
Aug 16, 2019
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
from
503392e
to
dd2544b
Compare
joshcooper
reviewed
Aug 22, 2019
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
7 times, most recently
from
d8fa1f0
to
4cc041d
Compare
joshcooper
reviewed
Aug 26, 2019
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
3 times, most recently
from
978a8f3
to
55d73fc
Compare
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
2 times, most recently
from
a47a7df
to
0755b94
Compare
|
@joshcooper I've restored the functionality that creates the parent directory (in case we're writing as the user/path is not trusted), so this should not be a breaking change anymore. |
joshcooper
requested changes
Oct 4, 2019
joshcooper
reviewed
Oct 4, 2019
joshcooper
reviewed
Oct 4, 2019
joshcooper
reviewed
Oct 4, 2019
GabrielNagy
commented
Oct 8, 2019
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
3 times, most recently
from
904895b
to
7d2002c
Compare
joshcooper
reviewed
Oct 9, 2019
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
from
7d2002c
to
f84ea6f
Compare
|
Fixed the rubocop stuff, I'll squash my commits when you're good with this @joshcooper |
joshcooper
approved these changes
Oct 22, 2019
Previously, when the `target` property was set, the ssh_authorized_key resource could not create directories/files within root-owned paths. This behavior is due to the module switching context to the user, then attempting to create the directory/file as the specified user, ultimately failing because of insufficient permissions. This commit adds a new parameter, `drop_privileges` which when set to false allows the module to write a ssh_authorized_key file in a privileged path. Due to the possible security implications of this, the parameter must be manually specified in order to activate this functionality. A path is considered to be privileged/trusted if all of its ancestors: - do not contain any symlinks - have the same owner as the user who runs Puppet - are not world/group writable
GabrielNagy
force-pushed
the
MODULES-9578/create-file-as-root
branch
from
a46d859
to
b2c153b
Compare
|
Passing acceptance run (except for ubuntu 14.04 which is no longer in our pipeline and can be ignored): https://jenkins-master-prod-1.delivery.puppetlabs.net/view/modules/view/Core/view/sshkeys_core/view/adhoc/job/forge-module_puppetlabs-sshkeys_core_intn-sys_nightly-adhoc/2/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, when the
targetproperty was set, the ssh_authorized_key resource could not create directories/files within root-owned paths. This behavior is due to the module switching context to theuser, then attempting to create the directory/file as the specified user, ultimately failing because of insufficient permissions.
This commit removes the context change logic, and creates the authorized_key file as
root, then executesFileUtils.chownto make it owned by the target user.This commit also removes the functionality that created parent directories, since it should not be in the scope of this module.
Cherry-picked 2 commits from @pillarsdotnet's tree, related to tests.