Root permissions applied when creating user accounts holding SSH public keys

[JoelLarson]

On my staging servers (newly provisioned), the user accounts I have being created are under the user root and group root rather than matching the user of the directory they are in.

ubuntu@ip-xx-x-xx-xxx:/home/joellarson$ ls -al
total 24
drwxr-xr-x 3 joellarson joellarson 4096 Jan 27 17:19 .
drwxr-xr-x 6 root       root       4096 Jan 27 17:03 ..
-rw-r--r-- 1 joellarson joellarson  220 Apr  8  2014 .bash_logout
-rw-r--r-- 1 joellarson joellarson 3637 Apr  8  2014 .bashrc
-rw-r--r-- 1 joellarson joellarson  675 Apr  8  2014 .profile
drwx------ 2 root       root       4096 Jan 27 17:19 .ssh

However, when I create them using kitchen locally, I yield this result:

vagrant@default-ubuntu-1404:/home/joellarson$ ls -al
total 24
drwxr-xr-x 3 joellarson joellarson 4096 Jan 27 23:28 .
drwxr-xr-x 6 root       root       4096 Jan 27 23:28 ..
-rw-r--r-- 1 joellarson joellarson  220 Apr  9  2014 .bash_logout
-rw-r--r-- 1 joellarson joellarson 3637 Apr  9  2014 .bashrc
-rw-r--r-- 1 joellarson joellarson  675 Apr  9  2014 .profile
drwx------ 2 joellarson root       4096 Jan 27 23:28 .ssh

Has this issue come up before? This is now happening on my newly provisioned servers and was working fine when I last worked with the user related cookbook that I have.

This is the contents of the users wrapper cookbook that I have:

include_recipe "users"

users_manage "sudo" do
  data_bag "users"
end

Data bag:

{
  "id": "joellarson",
  "password": "my-password-hash",
  "ssh_keys": [
    "my-ssh-key"
  ],
  "groups": [
    "sudo"
  ],
  "shell": "/bin/bash"
}

Any help or suggestions on tracking down the issue would be great! Thanks!

[iennae]

What version of the users cookbook are you using on your staging servers? v2.0.1 introduced this as assumption was that folks included uids. v2.0.2 should resolve this issue and doesn't assume that uid has been created.

[JoelLarson]

Thanks for the reply!

I realized this during debugging yesterday and was going to post my thoughts about it all, but Github had been down so I put it off.

I did verify that my cookbook version was off, which was causing the problem. However, the problem still exists where the group of my .ssh folder is still root and not the owner of the home folder. It seems like this was intentional and it really doesn't affect too much security wise, however I feel it isn't a normal model to follow.

Is this something I should create a pull request to fix?

Thanks.

[iennae]

The problem comes with supporting Mac OS X. Using the username as the group specification has problems. Essentially I think the model that httpd cookbook uses is where this cookbook is going to go with slightly different providers as needed per platform. Right now, if a gid isn't specified, the ssh directory and keys get created with root permissions.

[christopher-francisco]

@iennae where should I put the gid, in the databag or in the recipe?

[iennae]

This cookbook is getting rewritten with custom resources with PR #399. Take a look and see whether the behavior will resolve your issue. Thanks!

[iennae]

399 was merged and released. Please reopen with more details if this doesn't resolve your issue. Thanks!