diff options
author | Mike Dodge <mikedodge04@gmail.com> | 2017-08-25 18:19:23 -0700 |
---|---|---|
committer | Mike Dodge <mikedodge04@gmail.com> | 2017-08-25 18:19:52 -0700 |
commit | efac241ff964cf3d98e956f02d32ca3a3426444e (patch) | |
tree | afd9417090500d2f51875fb0816c41ab070fbe95 | |
parent | f1df2bd9bccfc0bbe82777fff42b9788fdf36706 (diff) | |
download | chef-efac241ff964cf3d98e956f02d32ca3a3426444e.tar.gz |
Launchd should not load launchagents as root. #5846
The Launchd resource will load launchagents as root when the mac is
sitting on the login window. This is never a desired outcome and is hard
to recover from. This change now will now check to see if a user is
logged in before loading launchagents.
Signed-off-by: Mike Dodge <mikedodge04@gmail.com>
-rw-r--r-- | lib/chef/provider/launchd.rb | 24 | ||||
-rw-r--r-- | lib/chef/provider/service/macosx.rb | 7 |
2 files changed, 28 insertions, 3 deletions
diff --git a/lib/chef/provider/launchd.rb b/lib/chef/provider/launchd.rb index a58954c707..8281410d42 100644 --- a/lib/chef/provider/launchd.rb +++ b/lib/chef/provider/launchd.rb @@ -85,7 +85,12 @@ class Chef manage_service(:disable) end + def action_restart + manage_service(:restart) + end + def manage_plist(action) + return unless manage_agent?(action) if source res = cookbook_file_resource else @@ -97,11 +102,30 @@ class Chef end def manage_service(action) + return unless manage_agent?(action) res = service_resource res.run_action(action) new_resource.updated_by_last_action(true) if res.updated? end + def manage_agent?(action) + # Gets UID of console_user and converts to string. + console_user = Etc.getpwuid(::File.stat("/dev/console").uid).name + root = console_user == "root" + agent = type == "agent" + invalid_action = [:delete, :disable, :enable, :restart].include?(action) + lltstype = "" + if new_resource.limit_load_to_session_type + lltstype = new_resource.limit_load_to_session_type + end + invalid_type = lltstype != "LoginWindow" + if root && agent && invalid_action && invalid_type + Chef::Log.debug("#{label}: Aqua LaunchAgents shouldn't be loaded as root") + return false + end + true + end + def service_resource res = Chef::Resource::MacosxService.new(label, run_context) res.name(label) if label diff --git a/lib/chef/provider/service/macosx.rb b/lib/chef/provider/service/macosx.rb index 4056b72649..9dc7b81a29 100644 --- a/lib/chef/provider/service/macosx.rb +++ b/lib/chef/provider/service/macosx.rb @@ -52,17 +52,18 @@ class Chef @plist_size = 0 @plist = @new_resource.plist ? @new_resource.plist : find_service_plist @service_label = find_service_label - # LauchAgents should be loaded as the console user. + # LaunchAgents should be loaded as the console user. @console_user = @plist ? @plist.include?("LaunchAgents") : false @session_type = @new_resource.session_type if @console_user - @console_user = Etc.getlogin + @console_user = Etc.getpwuid(::File.stat("/dev/console").uid).name Chef::Log.debug("#{new_resource} console_user: '#{@console_user}'") cmd = "su " param = this_version_or_newer?("10.10") ? "" : "-l " + param = "-l " if this_version_or_newer?("10.12") @base_user_cmd = cmd + param + "#{@console_user} -c" - # Default LauchAgent session should be Aqua + # Default LaunchAgent session should be Aqua @session_type = "Aqua" if @session_type.nil? end |