-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Users Application Support directory gets set with root permissions. #37
Comments
Here are the privacy_services_manager commands being executed:
|
Hello Dennis: Sorry about the issue, we will troubleshoot and fix it and let you know status. On Sep 27, 2015, at 4:50 PM, Dennis Hoer <notifications@github.commailto:notifications@github.com> wrote: Here are the privacy_services_manager commands being executed:
— Thanks: Richard Glaser |
Hi again, @dhoer! I think I need a little more information to try to duplicate this issue.
|
What I think is going on is the application support directory and tcc database are not there so it creates the directory and database as root instead of vagrant user. |
How do you suggest the tool gets the user to assign the proper permissions if the items don't exist? Thanks, Richard Glaser On Sep 29, 2015, at 12:22 PM, Dennis Hoer <notifications@github.commailto:notifications@github.com> wrote: /Users/vagrant/Library/Application Support What I think is going on is the application support directory and tcc database are not there so it creates the directory and database as root instead of vagrant user. — |
The |
I think you're right that it's being created as root when it doesn't exist. The weird thing is that it shouldn't be created. There must be something in the code that blindly checks whether a user passed in via I'll check into the creation process and get back to you with what I find. |
Thanks |
I would think passing the user to __create and setting the permissions here would be enough to fix it: Reading the following, I would assume you could create a tcc db for a user: |
I'm still working on this. I wasn't able to get to it as much as I would have liked yesterday. Your proposed solution is the same thing I came up with after looking through the available options, so I think that's the way I'm going to take this. I'll update this issue when I've made more progress. |
@pdarragh That would be hard for me to do since it builds the url in the cookbook: https://github.com/dhoer/chef-privacy_services_manager/blob/master/recipes/default.rb#L5-L6 |
Sorry, forgot this would auto-close when I merged branches. Please let me know how the update goes. I changed how administrative override works, but it shouldn't break anything with your current cookbooks. I do recommend changing |
That didn't fix the issue. The users Application Support directory is still root. This causes Firefox startup to fail because profile cannot be loaded. Also, if the --no-check-bin flag is set, does that mean the management tools dependency is no longer needed? |
One more thing, the group is admin instead of staff. |
I'm not seeing the same thing in my environment. I'm creating a brand-new user, who has never logged in (the username is
I then ran Privacy Services Manager:
After running this, when I check the contents of
and:
So in my vanilla setup, everything seems to work as expected. The username is set correctly on both
I'm not really sure what's going on here, but my guess is that it's something specific in your environment. I'm happy to try to help you troubleshoot it further, because I want for this to be working correctly for you, but I don't know how to duplicate your issue in my environment. Any ideas? |
When I run it, it creates the following directory/file permissions:
I'm not sure why there is a difference. To run the cookbook by itself you will need VMWare Fusion, Vagrant, and ChefDK. Which is a little much to run the test case. But if you are up for it then once these are installed, then do the following:
Kitchen test will create the mac and will run privacy_services_manager. If it provisioned successfully, then it will run serverspec tests to verify the directory user permissions. |
From re-reading your comment. It looks like Application Support directory is already there. That does not seem to be the case with for me, so the py script must be creating it for me. |
I used Tim Sutton's packer template to create the mac image: |
I forgot you would need Hashicorp VMware Fusion provider plugin which costs money in order to run kitchen test. Can you try deleting Application Support directory before running psm and see if that duplicates the issue? |
@dhoer I will try this when I'm back tomorrow morning, or earlier if I'm able to get to it. Sorry for the trouble! That's odd you don't have an Application Support directory, though... in vanilla OS X it's a default directory for a user to have. I will probably have to implement a more involved fix where PSM manually generates each missing directory and keeps track of them to fix permissions later... If only |
...huh. I assumed the Application Support directory to exist, because it's part of OS X's system specifications that it should exist for any user account at any time. It's considered a "key directory", as per this document, and is created by the system by default when a new user is created. I'll rewrite that portion of the script to handle such cases more gracefully, but I think maybe @timsutton should also look into ensuring the directory exists appropriately in his VM templates. I'd advise you to maybe open a ticket on his project for it so he can keep track of the request? (I've @mentioned him here so he can see where you're coming from.) As for the issue with the group ID, there's not terribly much I can do about that. To see the group ID I'm getting, open up a >>> from pwd import getpwnam
>>> getpwnam('username').pw_gid This gets the same information as the following system call:
So the issue is that your It's curious to me that your user's own directory belongs to a group other than their primary. This may be another issue with the VM templates, or else possibly an error in your configuration of those templates (hard for me to say without being a user of those templates myself). |
@pdarragh @timsutton I took a look at this last night and
So I'm not sure why it is getting overwritten by psm with |
I think you need to cd to path /Library/Application Support for root or /Users/{}/Library/Application Support for user e.g. |
Let me just be sure we're on the same page with all the info:
Is this all correct? It doesn't make any sense that you're seeing all of these permissions changes from PSM.
Changing directory within the Python instance will not change how the directories are created, if that's what you're suggesting. The issue is that the Python process is owned by
The username/groupid have to be taken outside of that if statement because they're used again after the |
One and two are both correct. I don't understand python syntax that well, but it seems that before the call to |
Ohh, gotcha. I wish the issue were so simple.
Open a terminal and do
According to the information you've given, your I'm also totally at a loss for how your My plan is to write a version of |
Ahh. Thanks for the explanation. Horrible naming of that module. I will have to verify that the primary group of vagrant user is admin. |
Rewrote the path creation system for #37. This system progressively generates directories and then modifies their ownership permissions immediately if it’s created in a user’s local Library directory. If the Library directory doesn’t exist, there is an error. Hopefully this works better.
I rewrote the path-creation algorithm with 1.7.2. Give it a try when you've got a chance and let's see if it handles anything better. Fingers crossed. |
Thanks, I will try it out this weekend. |
@pdarragh Looks good, thanks for taking the time to get this fixed. |
Woohoo! Glad to hear that it's finally resolved. Thanks for being patient with me while I got it worked out, and just let me know if you find anything else that needs to be changed! |
When provisioning Mac OS X 10.10 for the first time with privacy_services_manager, the Application Support directory gets set with root permissions. This happens only if a user hasn't logged in. If the user logged in before calling privacy_services_manager, then it preserves the directory and it's permissions.
Here are the Application Support permissions without privacy_services_manager called:
Here are the contents of Application Support directory without privacy services manager called:
Here are the Application Support permissions with privacy_services_manager called:
Here are the contents of Application Support directory with privacy services manager called.
The text was updated successfully, but these errors were encountered: