search

voxpupuli / puppet-archive

Compressed archive file download and extraction with native types/providers for Windows and Unix
https://forge.puppet.com/puppet/archive
Apache License 2.0
59 stars 176 forks source link

archive does not enforce `owner:group` #498

Closed gavindidrichsen closed 1 month ago

gavindidrichsen commented 1 year ago

Affected Puppet, Ruby, OS and module versions/distributions

root@pe-server-8ccea3-0 usage (development)$ puppet --version
7.20.0
root@pe-server-8ccea3-0 usage (development)$ cat Puppetfile 
# This Puppetfile is managed by Bolt. Do not edit.
# For more information, see https://pup.pt/bolt-modules

# The following directive installs modules to the managed moduledir.
moduledir '.modules'

mod 'puppet/archive', '6.1.2'
mod 'puppetlabs/stdlib', '8.6.0'

How to reproduce (e.g Puppet code you use)

Download an archive and configure user => 'user' and group => 'user' to configure ownership

What are you seeing

The actual owner of the archive is root:root (in my case)

What behaviour did you expect instead

I expected the archive to be owned by user:user

Replication Steps

# @summary Download a jar without extraction
# @param targets The targets to run on.
plan usage::no_extract_no_cleanup  (
  TargetSpec $targets = 'localhost'
) {
  $targets.apply_prep()
  $user = 'user'
  $group ='user'
  apply($targets) {
    include 'archive'

    # downlad a JAR without any extraction
    file { '/tmp/archive':
      ensure => directory,
      owner  => $user,
      group  => $group,
    }
    archive { '/tmp/archive/dd-java-agent-1.14.0.jar':
      ensure  => present,
      source  => 'https://repo1.maven.org/maven2/com/datadoghq/dd-java-agent/1.14.0/dd-java-agent-1.14.0.jar',
      extract => false,
      cleanup => false,
      user    => $user,
      group   => $group,
      require => File['/tmp/archive'],
    }
}

but will not enforce the $user:$group; it's owned by root:root and not user:user

root@pe-server-8ccea3-0 usage (development)$ namei -nom /tmp/archive/dd-java-agent-1.14.0.jar
f: /tmp/archive/dd-java-agent-1.14.0.jar
 dr-xr-xr-x root root /
 drwxrwxrwt root root tmp
 drwxr-xr-x user user archive
 -rw-r--r-- root root dd-java-agent-1.14.0.jar
root@pe-server-8ccea3-0 usage (development)$

However, if I add the following after the archive

    file { '/tmp/archive/dd-java-agent-1.14.0.jar':
      ensure  => file,
      owner   => $user,
      group   => $group,
      require => Archive['/tmp/archive/dd-java-agent-1.14.0.jar'],
    }
  }

then the expected ownership is enforced

root@pe-server-8ccea3-0 usage (development)$ namei -nom /tmp/archive/dd-java-agent-1.14.0.jar
f: /tmp/archive/dd-java-agent-1.14.0.jar
 dr-xr-xr-x root root /
 drwxrwxrwt root root tmp
 drwxr-xr-x user user archive
 -rw-r--r-- user user dd-java-agent-1.14.0.jar
root@pe-server-8ccea3-0 usage (development)$
Chevron9 commented 10 months ago

From my cursory review of the code it seems that the intention is to simply give read rights on the archive, and the important part is that the extracted directory belongs to the specified user.

geoffrey-rodgers commented 1 month ago

Hello,

The user and group attributes of the archive resource do not configure permissions on the archive file. Using a file resource to set the permissions on the archive, as you've mentioned, would be the proper resolution. Please see https://github.com/voxpupuli/puppet-archive?tab=readme-ov-file#reference, specifically:

user: extract command user (using this option will configure the archive file permission to 0644 so the user can read the file). group: extract command group (using this option will configure the archive file permission to 0644 so the user can read the file).