diff options
author | adamedx <admed@opscode.com> | 2013-01-16 16:04:37 -0800 |
---|---|---|
committer | Bryan McLellan <btm@opscode.com> | 2013-02-12 09:31:53 -0800 |
commit | 7b617fd3ca32592cf87b4ea7c2afdc56271bca5f (patch) | |
tree | 0fce0858558045b9ec6faef2134582b17cea634f | |
parent | d0def14f7fa4e1abd26d63fb0e213ba53d7a7f7d (diff) | |
download | chef-7b617fd3ca32592cf87b4ea7c2afdc56271bca5f.tar.gz |
CHEF-3467: Localize change to cookbook_file resource where issue actually occurs
-rw-r--r-- | chef/lib/chef/provider/cookbook_file.rb | 24 | ||||
-rw-r--r-- | chef/lib/chef/provider/file.rb | 30 |
2 files changed, 25 insertions, 29 deletions
diff --git a/chef/lib/chef/provider/cookbook_file.rb b/chef/lib/chef/provider/cookbook_file.rb index 144afbddeb..52539779ea 100644 --- a/chef/lib/chef/provider/cookbook_file.rb +++ b/chef/lib/chef/provider/cookbook_file.rb @@ -44,6 +44,7 @@ class Chef Chef::Log.debug("#{@new_resource} staging #{file_cache_location} to #{tempfile.path}") tempfile.close FileUtils.cp(file_cache_location, tempfile.path) + enforce_tempfile_inheritance(tempfile.path) end Chef::Log.info("#{@new_resource} created file #{@new_resource.path}") end @@ -76,6 +77,29 @@ class Chef ( ! ::File.exist?(@new_resource.path)) || ( ! compare_content) end + protected + + def enforce_tempfile_inheritance(tempfile_path) + # On the Windows platform, files in the temp directory + # default to not inherit unless the new resource specifies rights of + # some sort. Here we ensure that even when no rights are + # specified, the dacl's inheritance flag is set. + if Chef::Platform.windows? && + @new_resource.rights.nil? && + @new_resource.group.nil? && + @new_resource.owner.nil? && + @new_resource.deny_rights.nil? + + securable_tempfile = Chef::ReservedNames::Win32::Security::SecurableObject.new(tempfile_path) + + # No rights were specified, so the dacl will have no explicit aces + default_dacl = Chef::ReservedNames::Win32::Security::ACL.create([]) + + # In setting this default dacl, set inheritance to true + securable_tempfile.set_dacl(default_dacl, true) + end + end + end end end diff --git a/chef/lib/chef/provider/file.rb b/chef/lib/chef/provider/file.rb index 56ef622b1d..77f5217027 100644 --- a/chef/lib/chef/provider/file.rb +++ b/chef/lib/chef/provider/file.rb @@ -331,17 +331,11 @@ class Chef def deploy_tempfile Tempfile.open(::File.basename(@new_resource.name)) do |tempfile| yield tempfile - + temp_res = Chef::Resource::CookbookFile.new(@new_resource.name) temp_res.path(tempfile.path) ac = Chef::FileAccessControl.new(temp_res, @new_resource, self) ac.set_all! - - # CHEF-3467: ensure that use of temp file does not cause - # permissions inconsistent with file resources that don't - # stage to temp. - enforce_tempfile_inheritance(temp_res.path) - FileUtils.mv(tempfile.path, @new_resource.path) end end @@ -356,28 +350,6 @@ class Chef def new_resource_content_checksum @new_resource.content && Digest::SHA2.hexdigest(@new_resource.content) end - - def enforce_tempfile_inheritance(tempfile_path) - # On the Windows platform, files in the temp directory - # default to not inherit unless the new resource specifies rights of - # some sort. Here we ensure that even when no rights are - # specified, the dacl's inheritance flag is set. - if Chef::Platform.windows? && - @new_resource.rights.nil? && - @new_resource.group.nil? && - @new_resource.owner.nil? && - @new_resource.deny_rights.nil? - - securable_tempfile = Chef::ReservedNames::Win32::Security::SecurableObject.new(tempfile_path) - - # No rights were specified, so the dacl will have no explicit aces - default_dacl = Chef::ReservedNames::Win32::Security::ACL.create([]) - - # In setting this default dacl, set inheritance to true - securable_tempfile.set_dacl(default_dacl, true) - end - end - end end end |