diff options
| author | Tim Smith <tsmith@chef.io> | 2017-09-06 12:51:07 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-06 12:51:07 -0700 |
| commit | 294742ef45336b97cafc1742c6adfd1d6657c710 (patch) | |
| tree | 9a9e3bf7a1dd98101868d1b418b3f7479faea681 | |
| parent | 38f8845fda94c6640ab905ef84f182db38c5f51f (diff) | |
| parent | 518b27b7b22468d0ebde0b9370e113d31c8ccf2a (diff) | |
| download | chef-294742ef45336b97cafc1742c6adfd1d6657c710.tar.gz | |
Merge pull request #6353 from mikedodge04/launchd2
Launchd should not load launchagents as root.
| -rw-r--r-- | lib/chef/provider/launchd.rb | 20 | ||||
| -rw-r--r-- | lib/chef/provider/service/macosx.rb | 7 | ||||
| -rw-r--r-- | spec/unit/provider/service/macosx_spec.rb | 5 |
3 files changed, 28 insertions, 4 deletions
diff --git a/lib/chef/provider/launchd.rb b/lib/chef/provider/launchd.rb index 9c368c2b48..8281410d42 100644 --- a/lib/chef/provider/launchd.rb +++ b/lib/chef/provider/launchd.rb @@ -90,6 +90,7 @@ class Chef end def manage_plist(action) + return unless manage_agent?(action) if source res = cookbook_file_resource else @@ -101,11 +102,30 @@ class Chef end def manage_service(action) + return unless manage_agent?(action) res = service_resource res.run_action(action) new_resource.updated_by_last_action(true) if res.updated? end + def manage_agent?(action) + # Gets UID of console_user and converts to string. + console_user = Etc.getpwuid(::File.stat("/dev/console").uid).name + root = console_user == "root" + agent = type == "agent" + invalid_action = [:delete, :disable, :enable, :restart].include?(action) + lltstype = "" + if new_resource.limit_load_to_session_type + lltstype = new_resource.limit_load_to_session_type + end + invalid_type = lltstype != "LoginWindow" + if root && agent && invalid_action && invalid_type + Chef::Log.debug("#{label}: Aqua LaunchAgents shouldn't be loaded as root") + return false + end + true + end + def service_resource res = Chef::Resource::MacosxService.new(label, run_context) res.name(label) if label diff --git a/lib/chef/provider/service/macosx.rb b/lib/chef/provider/service/macosx.rb index 4056b72649..9dc7b81a29 100644 --- a/lib/chef/provider/service/macosx.rb +++ b/lib/chef/provider/service/macosx.rb @@ -52,17 +52,18 @@ class Chef @plist_size = 0 @plist = @new_resource.plist ? @new_resource.plist : find_service_plist @service_label = find_service_label - # LauchAgents should be loaded as the console user. + # LaunchAgents should be loaded as the console user. @console_user = @plist ? @plist.include?("LaunchAgents") : false @session_type = @new_resource.session_type if @console_user - @console_user = Etc.getlogin + @console_user = Etc.getpwuid(::File.stat("/dev/console").uid).name Chef::Log.debug("#{new_resource} console_user: '#{@console_user}'") cmd = "su " param = this_version_or_newer?("10.10") ? "" : "-l " + param = "-l " if this_version_or_newer?("10.12") @base_user_cmd = cmd + param + "#{@console_user} -c" - # Default LauchAgent session should be Aqua + # Default LaunchAgent session should be Aqua @session_type = "Aqua" if @session_type.nil? end diff --git a/spec/unit/provider/service/macosx_spec.rb b/spec/unit/provider/service/macosx_spec.rb index c9dd629187..704c7a802e 100644 --- a/spec/unit/provider/service/macosx_spec.rb +++ b/spec/unit/provider/service/macosx_spec.rb @@ -74,7 +74,10 @@ XML let(:service_label) { "io.redis.redis-server" } before do allow(Dir).to receive(:glob).and_return([plist], []) - allow(Etc).to receive(:getlogin).and_return("igor") + @stat = double("File::Stat", { :uid => 501 }) + allow(File).to receive(:stat).and_return(@stat) + @getpwuid = double("Etc::Passwd", { :name => "mikedodge04" }) + allow(Etc).to receive(:getpwuid).and_return(@getpwuid) allow(node).to receive(:[]).with("platform_version").and_return(platform_version) cmd = "launchctl list #{service_label}" allow(provider).to receive(:shell_out_with_systems_locale). |