gitweb.fluxo.info Git - puppet-sshkeys

author	Gabriel Nagy <gabriel.nagy@puppet.com>
	Tue, 13 Aug 2019 09:41:03 +0000 (12:41 +0300)
committer	Gabriel Nagy <gabriel.nagy@puppet.com>
	Wed, 23 Oct 2019 09:23:47 +0000 (12:23 +0300)
commit	b2c153b6ff070d620d47c83265992f7226646ee8
tree	2754dfcb7d0b384a0c396f9c6bfd3a25c73d25e0	tree \| snapshot
parent	8fd51e76226ea0f2012dfad9e3e52156cccbe13d	commit \| diff

(MODULES-9578) Create authorized_key in root path

Previously, when the `target` property was set, the ssh_authorized_key
resource could not create directories/files within root-owned paths.
This behavior is due to the module switching context to the user, then
attempting to create the directory/file as the specified user,
ultimately failing because of insufficient permissions.

This commit adds a new parameter, `drop_privileges` which when set to
false allows the module to write a ssh_authorized_key file in a
privileged path. Due to the possible security implications of this,
the parameter must be manually specified in order to activate this
functionality.

A path is considered to be privileged/trusted if all of its ancestors:
- do not contain any symlinks
- have the same owner as the user who runs Puppet
- are not world/group writable

REFERENCE.md		diff \| blob \| history
lib/puppet/provider/ssh_authorized_key/parsed.rb		diff \| blob \| history
lib/puppet/type/ssh_authorized_key.rb		diff \| blob \| history
spec/acceptance/tests/resource/ssh_authorized_key/create_spec.rb		diff \| blob \| history
spec/acceptance/tests/resource/ssh_authorized_key/destroy_spec.rb		diff \| blob \| history
spec/acceptance/tests/resource/ssh_authorized_key/modify_spec.rb		diff \| blob \| history
spec/unit/type/ssh_authorized_key_spec.rb		diff \| blob \| history