[Pkg-puppet-devel] Bug#761426: puppet resource does not tell the truth for files that may not be accessed

[Santiago Vila]

Package: puppet-common
Version: 3.7.0-1

I have a bunch of logcheck rules in /etc/logcheck/ignore.d.paranoid/mylogcheck,
served by puppet.

If I query puppet about it as root, I get this:

# puppet resource file /etc/logcheck/ignore.d.paranoid/mylogcheck
file { '/etc/logcheck/ignore.d.paranoid/mylogcheck':
  ensure  => 'file',
  content => '{md5}88fc34cf0e49645dc5635ee44ec803a4',
  ctime   => '2014-09-13 13:12:13 +0200',
  group   => '116',
  mode    => '640',
  mtime   => '2014-09-13 13:12:13 +0200',
  owner   => '0',
  type    => 'file',
}

but if I query about it as a normal user, I get this:

$ puppet resource file /etc/logcheck/ignore.d.paranoid/mylogcheck
Warning: /File[/etc/logcheck/ignore.d.paranoid/mylogcheck]: Could not stat; permission denied
file { '/etc/logcheck/ignore.d.paranoid/mylogcheck':
  ensure => 'absent',
}

The ensure => 'absent' part is simply not true.

The "ignore.d.paranoid" directory above is root:logcheck and it has
"rwxr-s---" permissions, so the considered file may not even be
accessed.

It should be noted that puppet gives a proper error for files it can
access but not read. In fact, if I change "ignore.d.paranoid" to be
mode 755 and try again as a normal user, I get this instead:

$ puppet resource file /etc/logcheck/ignore.d.paranoid/mylogcheck 
Error: Could not run: Could not read file /etc/logcheck/ignore.d.paranoid/mylogcheck: Permission denied @ rb_sysopen - /etc/logcheck/ignore.d.paranoid/mylogcheck

So, maybe this could be fixed by considering this case as an Error and
not as a Warning.

Thanks.