How to setuid by using Itamae

Question

I want to change file attributes using Itamae, so I wrote this:

file '/usr/local/bin/jobber' do
  action :edit
  owner 'jobber_client'
  group 'root'
  mode '04755'
end

The owner and group attributes were changed as expected, but mode only changed to 755 without performing the setuid to the file.

How can I perform a setuid with Itamae?

Can you try to use the `user` param on **file** resource : https://github.com/itamae-kitchen/itamae/wiki/file-resource — Nikhil, Oct 24 '16 at 21:17
Here's the patch I commited : https://github.com/itamae-kitchen/itamae/commit/bdcba8e19bcd1f36a2f5af6ab51733c5682013d3 — Eric Duminil, Oct 26 '16 at 20:27

score 2 · Answer 1 · answered Oct 26 '16 at 10:21

2

There was a bug filed against Chef for a similar issue, which seems to have been fixed here.

If Itamae is also affected by the same issue, then creating the file first and then modifying it later seems to be the best workaround.

answered Oct 26 '16 at 10:21

Michael Kohl

66,324
14
138
158

Eric Duminil · Answer 2 · 2016-10-26T10:37:49.200

Itamae doesn't ignore '4xxx', but it calls chmod first and then chown. Problem is : chown removes the suid set by chmod.

You can see it with

itamae local recipe.rb --log-level=debug

Swapping positions of the two ifs :

        if attributes.mode
          run_specinfra(:change_file_mode, change_target, attributes.mode)
        end

        if attributes.owner || attributes.group
          run_specinfra(:change_file_owner, change_target, attributes.owner, attributes.group)
        end

in def action_create(options) and def action_edit(options) at https://github.com/itamae-kitchen/itamae/blob/master/lib/itamae/resource/file.rb does the trick

I'll submit a patch.

In the meantime, this seems to work :

jobber = '/usr/local/bin/jobber'

file jobber do
  action :edit
  owner 'jobber_client'
  group 'root'
  mode '0755'
end

execute "setuid #{jobber}" do
  command "chmod u+s \"#{jobber}\""
end

How to setuid by using Itamae

2 Answers2