diff options
| author | Markus Roberts <Markus@reality.com> | 2010-04-28 15:39:39 -0700 |
|---|---|---|
| committer | James Turnbull <james@lovedthanlost.net> | 2010-05-02 16:47:23 +1000 |
| commit | ce233aa2a511bf6818f28c226144ec5b05a468ee (patch) | |
| tree | 102ec5d463a268d90a067930d4b6f8c5446a7d7e /lib | |
| parent | 6739bab16e3126ccba13f025a4b47d38f15c1f67 (diff) | |
| download | puppet-ce233aa2a511bf6818f28c226144ec5b05a468ee.tar.gz puppet-ce233aa2a511bf6818f28c226144ec5b05a468ee.tar.xz puppet-ce233aa2a511bf6818f28c226144ec5b05a468ee.zip | |
Write ssh_authorized_keys as user
This is a targeted fix to the issue of permissions when writing ssh authorized
key files by 1) requiring that an existing users be specified on the resource
and 2) doing the write as that user. It's based on Michael DeHaan's initial
implementation of Luke's idea, but with a number of simplifications (mostly by
testing necessary conditions as early as possible so the code isn't cluttered
up with a lot of checks).
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/puppet/provider/ssh_authorized_key/parsed.rb | 38 |
1 files changed, 9 insertions, 29 deletions
diff --git a/lib/puppet/provider/ssh_authorized_key/parsed.rb b/lib/puppet/provider/ssh_authorized_key/parsed.rb index b435c513c..fb4d0956e 100644 --- a/lib/puppet/provider/ssh_authorized_key/parsed.rb +++ b/lib/puppet/provider/ssh_authorized_key/parsed.rb @@ -62,36 +62,16 @@ Puppet::Type.type(:ssh_authorized_key).provide(:parsed, end def flush - # As path expansion had to be moved in the provider, we cannot generate new file - # resources and thus have to chown and chmod here. It smells hackish. - - # Create target's parent directory if nonexistant - if target - dir = File.dirname(target) - if not File.exist? dir - Puppet.debug("Creating directory %s which did not exist" % dir) - Dir.mkdir(dir, dir_perm) - end - end - - # Generate the file - super - - # Ensure correct permissions - if target and user - uid = Puppet::Util.uid(user) - - if uid - File.chown(uid, nil, dir) - File.chown(uid, nil, target) - else - raise Puppet::Error, "Specified user does not exist" - end - end - - if target - File.chmod(file_perm, target) + raise Puppet::Error, "Cannot write SSH authorized keys without user" unless user + raise Puppet::Error, "User '#{user}' does not exist" unless uid = Puppet::Util.uid(user) + unless File.exist?(dir = File.dirname(target)) + Puppet.debug "Creating #{dir}" + Dir.mkdir(dir, dir_perm) + File.chown(uid, nil, dir) end + Puppet::Util::SUIDManager.asuser(user) { super } + File.chown(uid, nil, target) + File.chmod(file_perm, target) end # parse sshv2 option strings, wich is a comma separated list of |