Merge branch '2.6.x' into 2.7.x

* 2.6.x:
  Reset indirector state after configurer tests.
  (#8770) Don't fail to set supplementary groups when changing user to root
  (#8770) Always fully drop privileges when changing user
  (#8662) Migrate suidmanager test case to rspec
  (#8740) Do not enumerate files in the root directory.
  (#3553) Explain that cron resources require time attributes

Conflicts:
	lib/puppet/application/resource.rb
	test/puppet/tc_suidmanager.rb

5 files changed, 82 insertions, 68 deletions

diff --git a/lib/puppet/application/resource.rb b/lib/puppet/application/resource.rb
index 6ef87d68f..76d0fada8 100644
--- a/lib/puppet/application/resource.rb
+++ b/lib/puppet/application/resource.rb
@@ -183,6 +183,9 @@ Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License
         [ Puppet::Resource.indirection.save(Puppet::Resource.new( type, name, :parameters => params ), key) ]
       end
     else
+      if type == "file"
+        raise "Listing all file instances is not supported.  Please specify a file or directory, e.g. puppet resource file /etc"
+      end
       Puppet::Resource.indirection.search( key, {} )
     end.map(&format).join("\n")
 
diff --git a/lib/puppet/type/cron.rb b/lib/puppet/type/cron.rb
index 5083ca556..6e9caa75b 100755
--- a/lib/puppet/type/cron.rb
+++ b/lib/puppet/type/cron.rb
@@ -3,11 +3,12 @@ require 'facter'
 require 'puppet/util/filetype'
 
 Puppet::Type.newtype(:cron) do
-  @doc = "Installs and manages cron jobs.  All fields except the command
-    and the user are optional, although specifying no periodic
-    fields would result in the command being executed every
-    minute.  While the name of the cron job is not part of the actual
-    job, it is used by Puppet to store and retrieve it.
+  @doc = <<-EOT
+    Installs and manages cron jobs.  Every cron resource requires a command
+    and user attribute, as well as at least one periodic attribute (hour,
+    minute, month, monthday, weekday, or special).  While the name of the cron
+    job is not part of the actual job, it is used by Puppet to store and
+    retrieve it.
 
     If you specify a cron job that matches an existing job in every way
     except name, then the jobs will be considered equivalent and the
@@ -18,30 +19,30 @@ Puppet::Type.newtype(:cron) do
     Example:
 
         cron { logrotate:
-          command => \"/usr/sbin/logrotate\",
+          command => "/usr/sbin/logrotate",
           user => root,
           hour => 2,
           minute => 0
         }
 
-    Note that all cron values can be specified as an array of values:
+    Note that all periodic attributes can be specified as an array of values:
 
         cron { logrotate:
-          command => \"/usr/sbin/logrotate\",
+          command => "/usr/sbin/logrotate",
           user => root,
           hour => [2, 4]
         }
 
-    Or using ranges, or the step syntax `*/2` (although there's no guarantee that
-    your `cron` daemon supports it):
+    ...or using ranges or the step syntax `*/2` (although there's no guarantee
+    that your `cron` daemon supports these):
 
         cron { logrotate:
-          command => \"/usr/sbin/logrotate\",
+          command => "/usr/sbin/logrotate",
           user => root,
           hour => ['2-4'],
           minute => '*/10'
         }
-    "
+  EOT
   ensurable
 
   # A base class for all of the Cron parameters, since they all have
diff --git a/lib/puppet/type/file.rb b/lib/puppet/type/file.rb
index 72e9a9495..5215be621 100644
--- a/lib/puppet/type/file.rb
+++ b/lib/puppet/type/file.rb
@@ -316,8 +316,8 @@ Puppet::Type.newtype(:file) do
     super(path.gsub(/\/+/, '/').sub(/\/$/, ''))
   end
 
-  def self.instances(base = '/')
-    return self.new(:name => base, :recurse => true, :recurselimit => 1, :audit => :all).recurse_local.values
+  def self.instances
+    return []
   end
 
   # Determine the user to write files as.
diff --git a/lib/puppet/util.rb b/lib/puppet/util.rb
index ff09221a2..ecedb25a6 100644
--- a/lib/puppet/util.rb
+++ b/lib/puppet/util.rb
@@ -47,35 +47,24 @@ module Util
   # Change the process to a different user
   def self.chuser
     if group = Puppet[:group]
-      group = self.gid(group)
-      raise Puppet::Error, "No such group #{Puppet[:group]}" unless group
-      unless Puppet::Util::SUIDManager.gid == group
-        begin
-          Puppet::Util::SUIDManager.egid = group
-          Puppet::Util::SUIDManager.gid = group
-        rescue => detail
-          Puppet.warning "could not change to group #{group.inspect}: #{detail}"
-          $stderr.puts "could not change to group #{group.inspect}"
-
-          # Don't exit on failed group changes, since it's
-          # not fatal
-          #exit(74)
-        end
+      begin
+        Puppet::Util::SUIDManager.change_group(group, true)
+      rescue => detail
+        Puppet.warning "could not change to group #{group.inspect}: #{detail}"
+        $stderr.puts "could not change to group #{group.inspect}"
+
+        # Don't exit on failed group changes, since it's
+        # not fatal
+        #exit(74)
       end
     end
 
     if user = Puppet[:user]
-      user = self.uid(user)
-      raise Puppet::Error, "No such user #{Puppet[:user]}" unless user
-      unless Puppet::Util::SUIDManager.uid == user
-        begin
-          Puppet::Util::SUIDManager.initgroups(user)
-          Puppet::Util::SUIDManager.uid = user
-          Puppet::Util::SUIDManager.euid = user
-        rescue => detail
-          $stderr.puts "Could not change to user #{user}: #{detail}"
-          exit(74)
-        end
+      begin
+        Puppet::Util::SUIDManager.change_user(user, true)
+      rescue => detail
+        $stderr.puts "Could not change to user #{user}: #{detail}"
+        exit(74)
       end
     end
   end
@@ -90,18 +79,14 @@ module Util
         if useself
 
           Puppet::Util::Log.create(
-
             :level => level,
             :source => self,
-
             :message => args
           )
         else
 
           Puppet::Util::Log.create(
-
             :level => level,
-
             :message => args
           )
         end
@@ -262,9 +247,6 @@ module Util
       Puppet.debug "Executing '#{str}'"
     end
 
-    arguments[:uid] = Puppet::Util::SUIDManager.convert_xid(:uid, arguments[:uid]) if arguments[:uid]
-    arguments[:gid] = Puppet::Util::SUIDManager.convert_xid(:gid, arguments[:gid]) if arguments[:gid]
-
     if execution_stub = Puppet::Util::ExecutionStub.current_value
       return execution_stub.call(command, arguments)
     end
@@ -306,14 +288,8 @@ module Util
           $stderr.reopen(error_file)
 
           3.upto(256){|fd| IO::new(fd).close rescue nil}
-          if arguments[:gid]
-            Process.egid = arguments[:gid]
-            Process.gid = arguments[:gid] unless @@os == "Darwin"
-          end
-          if arguments[:uid]
-            Process.euid = arguments[:uid]
-            Process.uid = arguments[:uid] unless @@os == "Darwin"
-          end
+          Puppet::Util::SUIDManager.change_group(arguments[:gid], true) if arguments[:gid]
+          Puppet::Util::SUIDManager.change_user(arguments[:uid], true) if arguments[:uid]
           ENV['LANG'] = ENV['LC_ALL'] = ENV['LC_MESSAGES'] = ENV['LANGUAGE'] = 'C'
           if command.is_a?(Array)
             Kernel.exec(*command)
diff --git a/lib/puppet/util/suidmanager.rb b/lib/puppet/util/suidmanager.rb
index 6633de002..697bce111 100644
--- a/lib/puppet/util/suidmanager.rb
+++ b/lib/puppet/util/suidmanager.rb
@@ -36,12 +36,6 @@ module Puppet::Util::SUIDManager
   end
   module_function :groups=
 
-  if Facter['kernel'].value == 'Darwin'
-    # Cannot change real UID on Darwin so we set euid
-    alias :uid :euid
-    alias :gid :egid
-  end
-
   def self.root?
     Process.uid == 0
   end
@@ -50,23 +44,63 @@ module Puppet::Util::SUIDManager
   def asuser(new_uid=nil, new_gid=nil)
     return yield if Puppet.features.microsoft_windows? or !root?
 
-    # We set both because some programs like to drop privs, i.e. bash.
-    old_uid, old_gid = self.uid, self.gid
     old_euid, old_egid = self.euid, self.egid
-    old_groups = self.groups
     begin
-      self.egid = convert_xid :gid, new_gid if new_gid
-      self.initgroups(convert_xid(:uid, new_uid)) if new_uid
-      self.euid = convert_xid :uid, new_uid if new_uid
+      change_group(new_gid) if new_gid
+      change_user(new_uid) if new_uid
 
       yield
     ensure
-      self.euid, self.egid = old_euid, old_egid
-      self.groups = old_groups
+      change_group(old_egid)
+      change_user(old_euid)
     end
   end
   module_function :asuser
 
+  def change_group(group, permanently=false)
+    gid = convert_xid(:gid, group)
+    raise Puppet::Error, "No such group #{group}" unless gid
+
+    if permanently
+      begin
+        Process::GID.change_privilege(gid)
+      rescue NotImplementedError
+        Process.egid = gid
+        Process.gid  = gid
+      end
+    else
+      Process.egid = gid
+    end
+  end
+  module_function :change_group
+
+  def change_user(user, permanently=false)
+    uid = convert_xid(:uid, user)
+    raise Puppet::Error, "No such user #{user}" unless uid
+
+    if permanently
+      begin
+        Process::UID.change_privilege(uid)
+      rescue NotImplementedError
+        # If changing uid, we must be root. So initgroups first here.
+        initgroups(uid)
+        Process.euid = uid
+        Process.uid  = uid
+      end
+    else
+      # If we're already root, initgroups before changing euid. If we're not,
+      # change euid (to root) first.
+      if Process.euid == 0
+        initgroups(uid)
+        Process.euid = uid
+      else
+        Process.euid = uid
+        initgroups(uid)
+      end
+    end
+  end
+  module_function :change_user
+
   # Make sure the passed argument is a number.
   def convert_xid(type, id)
     map = {:gid => :group, :uid => :user}