puppet-archive
puppet-archive copied to clipboard
voxpupuli
archive does not enforce ``owner:group``
Affected Puppet, Ruby, OS and module versions/distributions
root@pe-server-8ccea3-0 usage (development)$ puppet --version
7.20.0
root@pe-server-8ccea3-0 usage (development)$ cat Puppetfile
# This Puppetfile is managed by Bolt. Do not edit.
# For more information, see https://pup.pt/bolt-modules
# The following directive installs modules to the managed moduledir.
moduledir '.modules'
mod 'puppet/archive', '6.1.2'
mod 'puppetlabs/stdlib', '8.6.0'
How to reproduce (e.g Puppet code you use)
Download an archive and configure user => 'user' and group => 'user' to configure ownership
What are you seeing
The actual owner of the archive is root:root (in my case)
What behaviour did you expect instead
I expected the archive to be owned by user:user
Replication Steps
# @summary Download a jar without extraction
# @param targets The targets to run on.
plan usage::no_extract_no_cleanup (
TargetSpec $targets = 'localhost'
) {
$targets.apply_prep()
$user = 'user'
$group ='user'
apply($targets) {
include 'archive'
# downlad a JAR without any extraction
file { '/tmp/archive':
ensure => directory,
owner => $user,
group => $group,
}
archive { '/tmp/archive/dd-java-agent-1.14.0.jar':
ensure => present,
source => 'https://repo1.maven.org/maven2/com/datadoghq/dd-java-agent/1.14.0/dd-java-agent-1.14.0.jar',
extract => false,
cleanup => false,
user => $user,
group => $group,
require => File['/tmp/archive'],
}
}
but will not enforce the $user:$group; it's owned by root:root and not user:user
root@pe-server-8ccea3-0 usage (development)$ namei -nom /tmp/archive/dd-java-agent-1.14.0.jar
f: /tmp/archive/dd-java-agent-1.14.0.jar
dr-xr-xr-x root root /
drwxrwxrwt root root tmp
drwxr-xr-x user user archive
-rw-r--r-- root root dd-java-agent-1.14.0.jar
root@pe-server-8ccea3-0 usage (development)$
However, if I add the following after the archive
file { '/tmp/archive/dd-java-agent-1.14.0.jar':
ensure => file,
owner => $user,
group => $group,
require => Archive['/tmp/archive/dd-java-agent-1.14.0.jar'],
}
}
then the expected ownership is enforced
root@pe-server-8ccea3-0 usage (development)$ namei -nom /tmp/archive/dd-java-agent-1.14.0.jar
f: /tmp/archive/dd-java-agent-1.14.0.jar
dr-xr-xr-x root root /
drwxrwxrwt root root tmp
drwxr-xr-x user user archive
-rw-r--r-- user user dd-java-agent-1.14.0.jar
root@pe-server-8ccea3-0 usage (development)$
From my cursory review of the code it seems that the intention is to simply give read rights on the archive, and the important part is that the extracted directory belongs to the specified user.
Hello,
The user and group attributes of the archive resource do not configure permissions on the archive file. Using a file resource to set the permissions on the archive, as you've mentioned, would be the proper resolution. Please see https://github.com/voxpupuli/puppet-archive?tab=readme-ov-file#reference, specifically:
user: extract command user (using this option will configure the archive file permission to 0644 so the user can read the file). group: extract command group (using this option will configure the archive file permission to 0644 so the user can read the file).
