Permissions for foreman::app_root not set correctly

[promasu]

Version: mod 'theforeman-foreman', '16.1.0'

When using

class { 'foreman':
    app_root => '/srv/some_dir',
}

the folder is created with the root user and not with the user specified by foreman. This breaks the whole argument.

[ekohl]

The relevant code is here:

puppet-foreman/manifests/config.pp

Lines 71 to 73 in a2fe4c9

	file { $foreman::app_root:
	ensure => directory,
	}

In production deployments it should be owned by root:root so always making Foreman the owner would lead to less security. I wonder what you would expect here. Also interested in how you'd like to manage content of that app root.

Overall I've been thinking of dropping management of that direcotry, especially after #928 is merged. What are your thoughts on it?

[promasu]

That directory is created by the installation of the foreman package if I see it correctly. It's then owned by foreman:foreman.
If app_root is not set the default folder is created by the statement you stated and therefor owned by root:root.

When using app_root the class Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate] failes for example as the folder is not writable (and readable) by the user foreman.

[ekohl]

That directory is created by the installation of the foreman package if I see it correctly. It's then owned by foreman:foreman.

$ ls -l /usr/share/foreman -d
drwxr-xr-x. 14 root root 4096 Mar 24 11:34 /usr/share/foreman

There are some directories which should be writable. However, in production deployment we symlink those. So:

$ ls -l /usr/share/foreman
total 100
drwxr-xr-x. 15 root    root  4096 Mar 19 16:37 app
drwxr-xr-x.  2 root    root  4096 Mar 24 11:34 bin
drwxr-xr-x.  2 root    root  4096 Mar 24 11:34 bundler.d
drwxr-xr-x.  7 root    root  4096 Mar 24 11:34 config
-rw-r--r--.  1 foreman root   383 Mar 19 16:37 config.ru
lrwxrwxrwx.  1 root    root    19 Mar 24 11:34 db -> /var/lib/foreman/db
drwxr-xr-x.  6 root    root  4096 Mar 24 11:34 extras
-rw-r--r--.  1 root    root  1855 Mar 19 16:37 Gemfile.in
drwxr-xr-x.  7 root    root  4096 Mar 24 11:34 lib
drwxr-xr-x. 20 root    root  4096 Mar 24 11:34 locale
lrwxrwxrwx.  1 root    root    16 Mar 24 11:34 log -> /var/log/foreman
drwxr-xr-x.  2 root    root 40960 Mar 24 11:34 migrate
drwxr-xr-x.  2 root    root  4096 Mar 22 12:07 plugins
lrwxrwxrwx.  1 root    root    23 Mar 24 11:34 public -> /var/lib/foreman/public
-rw-r--r--.  1 root    root   198 Mar 19 16:37 Rakefile
drwxr-xr-x.  5 root    root  4096 Mar 24 11:34 script
drwxr-xr-x.  2 root    root  4096 Mar 24 11:34 seeds.d
-rw-r--r--.  1 root    root   482 Mar 19 16:37 seeds.rb
lrwxrwxrwx.  1 root    root    16 Mar 24 11:34 tmp -> /var/run/foreman
-rw-r--r--.  1 root    root     6 Mar 19 16:37 VERSION
$ ls -ld /usr/share/foreman/{db,log,public,tmp}/
drwxr-xr-x. 2 foreman foreman 4096 Mar 24 11:34 /usr/share/foreman/db/
drwxr-x---. 3 foreman foreman 4096 Apr  6 05:15 /usr/share/foreman/log/
drwxr-xr-x. 7 foreman foreman 4096 Mar 24 11:34 /usr/share/foreman/public/
drwxr-x---. 5 foreman foreman  120 Apr  6 17:11 /usr/share/foreman/tmp/

I think config.ru is owned by Foreman because Passenger needed it but shouldn't be needed by a Puma deployment.

Does this help?