Puppet 4 on Red Hat Satellite 6 does not allow to set a permission of 2740 to a file or directory.
Environment
- Red Hat Satellite 6.x
- puppet-agent-1.10.9-1.el7sat.x86_64
Issue
- Puppet file type does not handle mode 2740 properly.
Resolution
-
Puppet automatically changes the permission of a file/directory to "2750" if set to "2740".
-
This is expected behavior as setting the permission to "2740" makes a file/directory non-executable and hence Puppet corrects this behavior by modifying the permission to "2750":
[root@satellite ~]# cat file.pp
file {'/tmp/test':
ensure => 'directory',
mode => '2740',
}
[root@satellite ~]# puppet apply file.pp
Notice: Compiled catalog for satellite.redhat.com in environment production in 0.07 seconds
Notice: /Stage[main]/Main/File[/tmp/test]/mode: mode changed '2740' to '2750' <<===========
Notice: Applied catalog in 0.36 seconds
Root Cause
- The letter "s" denotes that the setgid bit is set. When an executable is setgid, it runs as the group who owns the executable file. The letter "s" replaces the letter "x". It's possible for a file to be setgid but not executable; this is denoted by "S", where the capital "S" alerts you that this setting is probably wrong because the setgid bit is (almost always) useless if the file is not executable.
Diagnostic Steps
- With permission set to "2740":
[root@satellite ~]# ls -ld /tmp/test
drwxr-S--- 2 root root 6 Sep 25 22:15 /tmp/test <<=========== "/tmp/test" here is non-executable "drwxr-S---" (2740)
- With permission set to "2750":
[root@satellite ~]# ls -ld /tmp/test
drwxr-s--- 2 root root 6 Sep 25 22:15 /tmp/test <<=========== "/tmp/test" is now executable "drwxr-s---" (2750)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments