Issue #488
closed
Foreman is unable to read puppet modules when permissions in tarfile are 700/600
Description
Description of problem:
Some of my puppet modules were created on a system with a umask of 0077 so all of the files have perms of 0700/0600. When pulp preserves the permissions from the tarfile, these are only readable by the apache user. This prevents the foreman and puppet users from being able to read the files.
Version-Release number of selected component (if applicable):
pulp-server-2.4.0-0.29.beta.el6.noarch
How reproducible:
Steps to Reproduce:
1. Create puppet module from directory that has no group or world permissions.
2. Add module to your puppet repository in katello.
3. Publish module to content view.
4. Look at the permissions of the module and see that the directory is only readable by apache.
Actual results:
Expected results:
The foreman and puppet user need to be able to read these files. If they are group and user owned by apache, these files need to be world readable as puppet/foreman are not in the apache group, but if they are group owned by puppet, they only need to be group readable.
Additional info:
+ This bug was cloned from Bugzilla Bug #1128270 +
Updated by skarmark@redhat.com about 9 years ago
We need a little more information about the steps to reproduce. Can you specify which specific puppet publisher did you use in step 3? Also which exact directory in step 4?
+ This comment was cloned from Bugzilla #1128270 comment 1 +
Updated by lfisher047@gmail.com about 9 years ago
I'm not sure what you mean by puppet publisher. I'm using the katello-2.0-devel to pubish the puppet modules.
The directory is /etc/puppet/environments/KT_ORG_Library_Baseline_2/modules.
+ This comment was cloned from Bugzilla #1128270 comment 2 +
Updated by mhrivnak about 9 years ago
I believe this is the "install distributor" at work.
Have you tried installing these modules directly with the puppet tool, as in "$ puppet module install ..." ? How does puppet's own installation process treat the file permissions?
It's not clear to me what the "correct" behavior is for pulp in this case besides honoring the file permissions as they were packaged. Blindly making access more permissive seems risky, and potentially unexpected for most users.
Updated by jsherril@redhat.com about 9 years ago
In the katello/satellite 6 world both the puppet master and foreman-proxy need read access to those modules that are installed via the puppet install distributor
Since puppet is running under apache (as well as pulp), we are somewhat guaranteed that the puppet master can read them, as pulp would write them as the apache user.
The foreman-proxy user however would not have read access if the permissions were not world readable. We've also had complaints about the fact that these modules are world readable (as being too open).
We might should get together and discuss possible solutions to this, but one I'm thinking of is:
1. Add the foreman-proxy user to the apache group
2. provide some option in the puppet install distributor to allow the user to tell pulp what permission to set on the installed files.
Any thoughts on the above?
Updated by bmbouter about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
.