salt: cmd.run(runas) results in "csh: Permission denied" (FreeBSD)

Description of Issue/Question

Attempting to run a command as a different user on csh fails with “permission denied”. FreeBSD uses csh as the root shell by default, so this is an issue on a fresh FreeBSD install. I didn’t test on another OS, but I suspect it has something to do with csh, rather than FreeBSD.

This affects a number of states, like git for example, which fails if it uses the “user” parameter.

The only previous report I found is #9657, 3 years ago. Understandably closed, but note that I am reproducing this on a new FreeBSD 11 install, having almost nothing else installed and no changes to csh profile.

Setup

Easy to reproduce on a masterless setup, but it behaves the same either way. Smallest SLS file:

# cat /usr/local/etc/salt/states/runas_bug.sls
test "1" = "1":
  cmd.run:
    - runas: bgdnlp

Steps to Reproduce Issue

With root’s default shell, /bin/csh:

# salt-call -l info state.sls runas_bug
[INFO    ] Loading fresh modules for state activity
[INFO    ] Fetching file from saltenv 'base', ** skipped ** latest already in cache 'salt://runas_bug
.sls', mode up-to-date
[INFO    ] Running state [test "1" = "1"] at time 16:33:36.160958
[INFO    ] Executing state cmd.run for test "1" = "1"
[INFO    ] Executing command 'test "1" = "1"' as user 'bgdnlp' in directory '/home/bgdnlp'
[ERROR   ] Command 'test "1" = "1"' failed with return code: 1
[ERROR   ] stderr: csh: Permission denied.
[ERROR   ] retcode: 1
[ERROR   ] {'pid': 1279, 'retcode': 1, 'stderr': 'csh: Permission denied.', 'stdout': ''}
[INFO    ] Completed state [test "1" = "1"] at time 16:33:36.218481 duration_in_ms=57.523
local:
----------
          ID: test "1" = "1"
    Function: cmd.run
      Result: False
     Comment: Command "test "1" = "1"" run
     Started: 16:33:36.160958
    Duration: 57.523 ms
     Changes:
              ----------
              pid:
                  1279
              retcode:
                  1
              stderr:
                  csh: Permission denied.
              stdout:

Summary for local
------------
Succeeded: 0 (changed=1)
Failed:    1
------------
Total states run:     1
Total run time:  57.523 ms

After changing shell to /bin/sh and logging in again:

# salt-call -l info state.sls runas_bug
[INFO    ] Loading fresh modules for state activity
[INFO    ] Fetching file from saltenv 'base', ** skipped ** latest already in cache 'salt://runas_bug
.sls', mode up-to-date
[INFO    ] Running state [test "1" = "1"] at time 16:40:16.738548
[INFO    ] Executing state cmd.run for test "1" = "1"
[INFO    ] Executing command 'test "1" = "1"' as user 'bgdnlp' in directory '/home/bgdnlp'
[INFO    ] {'pid': 1326, 'retcode': 0, 'stderr': '', 'stdout': ''}
[INFO    ] Completed state [test "1" = "1"] at time 16:40:16.789120 duration_in_ms=50.572
local:
----------
          ID: test "1" = "1"
    Function: cmd.run
      Result: True
     Comment: Command "test "1" = "1"" run
     Started: 16:40:16.738548
    Duration: 50.572 ms
     Changes:
              ----------
              pid:
                  1326
              retcode:
                  0
              stderr:
              stdout:

Summary for local
------------
Succeeded: 1 (changed=1)
Failed:    0
------------
Total states run:     1
Total run time:  50.572 ms

Versions Report

Salt Version:
           Salt: 2016.11.1

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.5.3
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.7
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
         pygit2: Not Installed
         Python: 2.7.13 (default, Jan 12 2017, 01:19:30)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 16.0.2
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.4.2
            ZMQ: 4.1.5

System Versions:
           dist:
        machine: amd64
        release: 11.0-RELEASE-p8
         system: FreeBSD
        version: Not Installed

About this issue

  • Original URL
  • State: open
  • Created 7 years ago
  • Comments: 22 (16 by maintainers)

Most upvoted comments

It’s not the PATH and it’s not that test isn’t built into csh. Changing the command to /bin/test has the same result. My initial use case was running find to check if a file is older than a week in order to make Salt only check for updates in a git repo weekly. It failed on every run. Basically any kind of unless or onlyif that runs as a different user returns false always.

Calling the state from master isn’t desirable and it doesn’t work in a masterless setup.

+1
bgdnlp on Feb 27, 2017
Read more comments on GitHub
← salt: CloudLinux not detected as os_family: RedHat (consequences of #28951)
salt: Continuous error in the proxy minion logs →