Closed Bug 851305 Opened 11 years ago Closed 11 years ago

releng-puppet1.srv.releng.scl3.mozilla.com has a default umask of 027

Categories

(Infrastructure & Operations :: Infrastructure: Puppet, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: Puppet
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: mozilla, Unassigned)

References

Details

from /etc/bashrc:
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
    umask 0027
else
    umask 022
fi

It's problematic to have a default umask of 0027 when we're uploading python packages that go live immediately.  When tests install package X (without a version specified), they try to download an unreadable pacakge, and the tree burns.

Can we change this?  I already have a |umask 002| in my .bashrc, but this burnt the tree when Armen uploaded something.  We can certainly script or doc around this, but that seems to defeat the purpose of setting this default.
This umask is an infra-wide default.  I don't think we should change it globally for this reason.

The 'puppetagain-fixperms' script will fix this up, so perhaps just document that you should run that immediately after uploading.  It runs every half-hour in a crontask anyway.

Tests really shouldn't be installing a package "X" without a version specified, but for situations where that's the case, I think some caution is advised anyway.  Certainly we could add a "puppetagagain-python-package" script that would Do The Right Thing from the start (change the perms first, then move the file into place).

I'm assigning to you, Aki, as a way of saying "patches accepted".
Assignee: server-ops-releng → aki
Is there a way to make an exception to the infra-wide default?
Flags: needinfo?(dustin)
(In reply to Dustin J. Mitchell [:dustin] from comment #1)
> This umask is an infra-wide default.  I don't think we should change it
> globally for this reason.

I'm confused - we're not asking for a global change, we're asking for a change on all infra managed puppet masters within the releng network.

Could you clarify the concern please when you point us to exception request process asked for in comment 2? 

Thanks! (and back to relops)
Assignee: aki → server-ops-releng
I meant globally to the host, not globally to the company.

This is best fixed with a better process for adding files, rather than changing the umask on the host (which affects more than just adding files to this directory).
Flags: needinfo?(dustin)
Assignee: server-ops-releng → nobody
Component: Server Operations: RelEng → Release Engineering
QA Contact: arich
I think a host that's designed for serving files via the web, having a default that makes serving those files impossible without additional steps run every time, doesn't make sense.  So I disagree on not making this change globally on the host.

We do have a workaround, which would make this lower urgency; I'd just like the right fix, should we agree on what that fix should be.
This host also serves a lot of secret data.  I'd rather have a public file non-readable, than a secret file accidentally readable.
(In reply to Dustin J. Mitchell [:dustin] from comment #6)
> This host also serves a lot of secret data.  I'd rather have a public file
> non-readable, than a secret file accidentally readable.

Agreed, although that's a design flaw :( -- is a stricter separation of privileged data part of puppet again architecture? Or do we need a bug there?
Flags: needinfo?(dustin)
It's not a design flaw.  Puppet by its nature deals with both public and private data.
Flags: needinfo?(dustin)
Assignee: nobody → infra
Component: Release Engineering → Infrastructure: Puppet
Product: mozilla.org → Infrastructure & Operations
QA Contact: jdow
And, releng-puppet1 is gone away, so RESO INVA unless someone sees a need to reopen this for a new set of hosts.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.