Module: Puppet::Util::SUIDManager

Extended by:

Forwardable

Includes:

Warnings

Defined in:

lib/puppet/util/suidmanager.rb

Class Method Summary

• .asuser(new_uid = nil, new_gid = nil) ⇒ Object

  Runs block setting uid and gid if provided then restoring original ids.

• .change_group(group, permanently = false) ⇒ Object
• .change_user(user, permanently = false) ⇒ Object
• .convert_xid(type, id) ⇒ Object

  Make sure the passed argument is a number.

• .groups=(grouplist) ⇒ Object
• .initgroups(user) ⇒ Object

  Initialize supplementary groups.

• .osx_maj_ver ⇒ Object
• .root? ⇒ Boolean
• .run_and_capture(command, new_uid = nil, new_gid = nil) ⇒ Object
• .system(command, new_uid = nil, new_gid = nil) ⇒ Object

Methods included from Warnings

clear_warnings, notice_once, warnonce

Class Method Details

.asuser(new_uid = nil, new_gid = nil) ⇒ Object

Runs block setting uid and gid if provided then restoring original ids

# File 'lib/puppet/util/suidmanager.rb', line 57

def asuser(new_uid=nil, new_gid=nil)
  return yield if Puppet.features.microsoft_windows? or !root?

  old_euid, old_egid = self.euid, self.egid
  begin
    change_group(new_gid) if new_gid
    change_user(new_uid) if new_uid

    yield
  ensure
    change_group(old_egid)
    change_user(old_euid)
  end
end

.change_group(group, permanently = false) ⇒ Object

Raises:

• (Puppet::Error)

# File 'lib/puppet/util/suidmanager.rb', line 73

def change_group(group, permanently=false)
  gid = convert_xid(:gid, group)
  raise Puppet::Error, "No such group #{group}" unless gid

  if permanently
    begin
      Process::GID.change_privilege(gid)
    rescue NotImplementedError
      Process.egid = gid
      Process.gid  = gid
    end
  else
    Process.egid = gid
  end
end

.change_user(user, permanently = false) ⇒ Object

Raises:

• (Puppet::Error)

# File 'lib/puppet/util/suidmanager.rb', line 90

def change_user(user, permanently=false)
  uid = convert_xid(:uid, user)
  raise Puppet::Error, "No such user #{user}" unless uid

  if permanently
    begin
      Process::UID.change_privilege(uid)
    rescue NotImplementedError
      # If changing uid, we must be root. So initgroups first here.
      initgroups(uid)
      Process.euid = uid
      Process.uid  = uid
    end
  else
    # If we're already root, initgroups before changing euid. If we're not,
    # change euid (to root) first.
    if Process.euid == 0
      initgroups(uid)
      Process.euid = uid
    else
      Process.euid = uid
      initgroups(uid)
    end
  end
end

.convert_xid(type, id) ⇒ Object

Make sure the passed argument is a number.

Raises:

• (ArgumentError)

# File 'lib/puppet/util/suidmanager.rb', line 118

def convert_xid(type, id)
  map = {:gid => :group, :uid => :user}
  raise ArgumentError, "Invalid id type #{type}" unless map.include?(type)
  ret = Puppet::Util.send(type, id)
  if ret == nil
    raise Puppet::Error, "Invalid #{map[type]}: #{id}"
  end
  ret
end

.groups=(grouplist) ⇒ Object

# File 'lib/puppet/util/suidmanager.rb', line 30

def groups=(grouplist)
  if osx_maj_ver == '10.6'
    return true
  else
    return Process.groups = grouplist
  end
end

.initgroups(user) ⇒ Object

Initialize supplementary groups

# File 'lib/puppet/util/suidmanager.rb', line 130

def initgroups(user)
  require 'etc'
  Process.initgroups(Etc.getpwuid(user).name, Process.gid)
end

.osx_maj_ver ⇒ Object

# File 'lib/puppet/util/suidmanager.rb', line 16

def osx_maj_ver
  return @osx_maj_ver unless @osx_maj_ver.nil?
  require 'facter'
  # 'kernel' is available without explicitly loading all facts
  if Facter.value('kernel') != 'Darwin'
    @osx_maj_ver = false
    return @osx_maj_ver
  end
  # But 'macosx_productversion_major' requires it.
  Facter.loadfacts
  @osx_maj_ver = Facter.value('macosx_productversion_major')
end

.root? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/util/suidmanager.rb', line 39

def self.root?
  return Process.uid == 0 unless Puppet.features.microsoft_windows?

  require 'sys/admin'
  require 'win32/security'
  require 'facter'

  majversion = Facter.value(:kernelmajversion)
  return false unless majversion

  # if Vista or later, check for unrestricted process token
  return Win32::Security.elevated_security? unless majversion.to_f < 6.0

  group = Sys::Admin.get_group("Administrators", :sid => Win32::Security::SID::BuiltinAdministrators)
  group and group.members.index(Sys::Admin.get_login) != nil
end

.run_and_capture(command, new_uid = nil, new_gid = nil) ⇒ Object

# File 'lib/puppet/util/suidmanager.rb', line 137

def run_and_capture(command, new_uid=nil, new_gid=nil)
  output = Puppet::Util.execute(command, :failonfail => false, :combine => true, :uid => new_uid, :gid => new_gid)
  [output, $CHILD_STATUS.dup]
end

.system(command, new_uid = nil, new_gid = nil) ⇒ Object

# File 'lib/puppet/util/suidmanager.rb', line 143

def system(command, new_uid=nil, new_gid=nil)
  status = nil
  asuser(new_uid, new_gid) do
    Kernel.system(command)
    status = $CHILD_STATUS.dup
  end
  status
end