Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to disable some fix ? #383

Closed
PierreR opened this issue Jan 23, 2015 · 4 comments
Closed

How to disable some fix ? #383

PierreR opened this issue Jan 23, 2015 · 4 comments

Comments

@PierreR
Copy link

PierreR commented Jan 23, 2015

Is there a way to disable some fix (the same way we disable check) ?

For instance I don't really see the point of this fix:

Converting 3 digit octal file modes into 4 digit modes.

Does puppet-lint --fix take into account the --no-file_mode-check ?

As a final note, ideally I would like to keep the file_mode check but only disable the mode should be represented as a 4 digit octal value or symbolic mod check because I don't see the point of it right now. It looks like the puppetlabs code examples generally don't touch the suid bit.

@ghoneycutt
Copy link
Contributor

The point of that check is that if you only describe the mode with three digits, you are not fully describing a file, which has four digits. Puppet will only manage those three digits and not the forth which leads to configuration drift and likely security issues. Since we are defining state, we want to define the entire state of a given mode, not just the part that you might be familiar with.

http://en.wikipedia.org/wiki/File_system_permissions#Changing_permission_behavior_with_setuid.2C_setgid.2C_and_sticky_bits

@PierreR
Copy link
Author

PierreR commented Jan 23, 2015

My understanding was that puppet will add the extra 0 anyway. So 764 for instance will become 0764 which I thought meant Puppet is not doing anything fancy with the sticky bit (which seems a good default case)

Puppet will only manage those three digits and not the forth which leads to configuration drift and > likely security issues.

@ghoneycutt Can you confirm that my assumption is wrong. My ruby is rusty and I cannot really figure it out looking at the source:
https://github.com/puppetlabs/puppet/blob/master/lib/puppet/provider/file/posix.rb#L119-L135

@rodjek
Copy link
Owner

rodjek commented Jan 24, 2015

@PierreR while I agree with @ghoneycutt here that you should put the leading 0 in your file modes rather than relying on the internal behaviour of Puppet (because being explicit leads to less suprises), you can just disable that check if you don't want to puppet-lint to warn on it (which will also skip automatically fixing it when run with --fix). Details on how to do this are available in the README.

@rodjek rodjek closed this as completed Jan 24, 2015
@PierreR
Copy link
Author

PierreR commented Jan 24, 2015

@rodjek Thanks for mentioning that disabling a check will also skip fixing. I guess I have missed this from the README.

Also I would have appreciated a more explicit answer. Is the --no-file_mode-check the only flag I can use ? This will disable no only the warning I am talking about but other potential useful checks about file_mode (like rejecting invalid mode).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants