From 2091cbeade9d69a18689609f407f9d7f0304dc04 Mon Sep 17 00:00:00 2001 From: Josh Cooper Date: Wed, 17 Aug 2011 17:08:38 -0700 Subject: maint: Fix build break due to recent merge from 2.7.x to master The resource_spec was failing because /etc is not considered a fully-qualified path on Windows. Using File.expand_path fixes that. The suidmanager_spec was failing because we weren't stubbing the microsoft_windows feature, so SUIDManager.asuser was a no-op when running as root, and our expectations weren't being met. (cherry picked from commit af87f32a016a5ed48353f516f9558f95c54c50b4) --- spec/unit/util/suidmanager_spec.rb | 3 +++ 1 file changed, 3 insertions(+) (limited to 'spec/unit/util/suidmanager_spec.rb') diff --git a/spec/unit/util/suidmanager_spec.rb b/spec/unit/util/suidmanager_spec.rb index fc70e1718..abfe3f723 100755 --- a/spec/unit/util/suidmanager_spec.rb +++ b/spec/unit/util/suidmanager_spec.rb @@ -33,6 +33,7 @@ describe Puppet::Util::SUIDManager do describe "#asuser" do it "should set euid/egid when root" do Process.stubs(:uid).returns(0) + Puppet.features.stubs(:microsoft_windows?).returns(false) Process.stubs(:egid).returns(51) Process.stubs(:euid).returns(50) @@ -168,6 +169,8 @@ describe Puppet::Util::SUIDManager do describe "with #system" do it "should set euid/egid when root" do Process.stubs(:uid).returns(0) + Puppet.features.stubs(:microsoft_windows?).returns(false) + Process.stubs(:egid).returns(51) Process.stubs(:euid).returns(50) -- cgit From 2ac87905708ddbc44d212e10e34d72cad09e3271 Mon Sep 17 00:00:00 2001 From: Josh Cooper Date: Thu, 18 Aug 2011 10:34:18 -0700 Subject: (#8662) Fix Puppet.features.root? on Windows This commit changes Puppet::Util::SUIDManager.root? (and Puppet.features.root?) to only return true if the user is running with elevated privileges (granted via UAC). If this check fails because elevated privileges are not supported, e.g. pre-Vista, then we fall back to checking if the user is a member of the builtin Administrators group. This means if you are logged in as Administrator on 2008, Puppet.features.root? will return false, unless you are explicitly running puppet as an administrator, e.g. runas /user:Administrator "puppet apply manifest.pp" This commit also adds tests to ensure SUIDManager.asuser is a no-op on Windows, since Windows does not (easily) support switching user contexts without providing a password. --- spec/unit/util/suidmanager_spec.rb | 89 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) (limited to 'spec/unit/util/suidmanager_spec.rb') diff --git a/spec/unit/util/suidmanager_spec.rb b/spec/unit/util/suidmanager_spec.rb index abfe3f723..474d0b2a2 100755 --- a/spec/unit/util/suidmanager_spec.rb +++ b/spec/unit/util/suidmanager_spec.rb @@ -66,6 +66,14 @@ describe Puppet::Util::SUIDManager do xids.should be_empty end + + it "should not get or set euid/egid on Windows" do + Puppet.features.stubs(:microsoft_windows?).returns true + + Puppet::Util::SUIDManager.asuser(user[:uid], user[:gid]) {} + + xids.should be_empty + end end describe "#change_group" do @@ -195,6 +203,15 @@ describe Puppet::Util::SUIDManager do xids.should be_empty end + + it "should not get or set euid/egid on Windows" do + Puppet.features.stubs(:microsoft_windows?).returns true + Kernel.expects(:system).with('blah') + + Puppet::Util::SUIDManager.system('blah', user[:uid], user[:gid]) + + xids.should be_empty + end end describe "with #run_and_capture" do @@ -210,4 +227,76 @@ describe Puppet::Util::SUIDManager do end end end + + describe "#root?" do + describe "on POSIX systems" do + before :each do + Puppet.features.stubs(:posix?).returns(true) + Puppet.features.stubs(:microsoft_windows?).returns(false) + end + + it "should be root if uid is 0" do + Process.stubs(:uid).returns(0) + + Puppet::Util::SUIDManager.should be_root + end + + it "should not be root if uid is not 0" do + Process.stubs(:uid).returns(1) + + Puppet::Util::SUIDManager.should_not be_root + end + end + + describe "on Microsoft Windows", :if => Puppet.features.microsoft_windows? do + describe "2003 without UAC" do + it "should be root if user is a member of the Administrators group" do + Win32::Security.stubs(:elevated_security?).raises(Win32::Security::Error, "Incorrect function.") + Sys::Admin.stubs(:get_login).returns("Administrator") + Sys::Group.stubs(:members).returns(%w[Administrator]) + + Puppet::Util::SUIDManager.should be_root + end + + it "should not be root if the process is running as Guest" do + Win32::Security.stubs(:elevated_security?).raises(Win32::Security::Error, "Incorrect function.") + Sys::Admin.stubs(:get_login).returns("Guest") + Sys::Group.stubs(:members).returns([]) + + Puppet::Util::SUIDManager.should_not be_root + end + + it "should raise an exception if the process fails to open the process token" do + Win32::Security.stubs(:elevated_security?).raises(Win32::Security::Error, "Access denied.") + Sys::Admin.stubs(:get_login).returns("Administrator") + Sys::Group.expects(:members).never + + lambda { Puppet::Util::SUIDManager.should raise_error(Win32::Security::Error, /Access denied./) } + end + end + + describe "2008 with UAC" do + it "should be root if user is running with elevated privileges" do + Win32::Security.stubs(:elevated_security?).returns(true) + Sys::Admin.expects(:get_login).never + + Puppet::Util::SUIDManager.should be_root + end + + it "should not be root if user is not running with elevated privileges" do + Win32::Security.stubs(:elevated_security?).returns(false) + Sys::Admin.expects(:get_login).never + + Puppet::Util::SUIDManager.should_not be_root + end + + it "should raise an exception if the process fails to open the process token" do + Win32::Security.stubs(:elevated_security?).raises(Win32::Security::Error, "Access denied.") + Sys::Admin.expects(:get_login).never + + lambda { Puppet::Util::SUIDManager.should raise_error(Win32::Security::Error, /Access denied./) } + end + end + end + end end -- cgit