update mode if group or owner change to keep suid bit

On Linux updating the group or owner unsets the suid bit for security reasons, so check for group and owner updates whether or not to set the mode.
author: Jacob Minshall <minshalljg@gmail.com> 2015-02-22 12:00:21 -0800
committer: Jacob Minshall <minshalljg@gmail.com> 2015-03-17 12:45:42 -0700
commit: c76b988f83ea3cbaa5dd773577265ec5382a9a90 (patch)
tree: 277868a9b9c51a135c7e61a024df900b39183101
parent: a7f5c92960aedf8d5bfc71abbce430ab075e016a (diff)
download: chef-c76b988f83ea3cbaa5dd773577265ec5382a9a90.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/chef/file_access_control/unix.rb b/lib/chef/file_access_control/unix.rb
index 472f30b752..52265f8f7e 100644
--- a/lib/chef/file_access_control/unix.rb
+++ b/lib/chef/file_access_control/unix.rb
@@ -197,6 +197,8 @@ class Chef
           # the user has specified a permission, and it does not match the file, so fix the permission
           Chef::Log.debug("found target_mode != current_mode, updating mode")
           return true
+        elsif suid_bit_set? and (should_update_group? or should_update_owner?)
+            return true
         else
           Chef::Log.debug("found target_mode == current_mode, not updating mode")
           # the user has specified a permission, but it matches the file, so behave idempotently
@@ -280,6 +282,9 @@ class Chef
         return nil
       end
 
+      def suid_bit_set?
+          return target_mode & 04000 > 0
+      end
     end
   end
 end
author	Jacob Minshall <minshalljg@gmail.com>	2015-02-22 12:00:21 -0800
committer	Jacob Minshall <minshalljg@gmail.com>	2015-03-17 12:45:42 -0700
commit	c76b988f83ea3cbaa5dd773577265ec5382a9a90 (patch)
tree	277868a9b9c51a135c7e61a024df900b39183101
parent	a7f5c92960aedf8d5bfc71abbce430ab075e016a (diff)
download	chef-c76b988f83ea3cbaa5dd773577265ec5382a9a90.tar.gz