Issue #2503 has been updated by Markus Roberts. Status changed from Accepted to Ready for Checkin
Patched on branch http://github.com/MarkusQ/puppet/tree/ticket/master/2503 to append a random suffix to the temporary file name and verify that the name thus generated is not in use before proceeding. This reduces the exploitable window to a fraction of a second between the generation of the name and its subsequent use. While an attacker that could intercept puppet's system calls could theoretically still exploit the link trick, such an omnipotent malefactor would in practice already own the system. Thus the patch outruns the bear. ---------------------------------------- Bug #2503: Insecure temp file handling in file{} http://projects.reductivelabs.com/issues/2503 Author: volcane volcane Status: Ready for Checkin Priority: Urgent Assigned to: Category: file Target version: 0.25.0 Complexity: Unknown Affected version: 0.24.8 Keywords: file{} does a rather stupid thing with temp files. The result is that users could potentially overwrite files they don't own with the help of puppet: confirmed on 0.24.8. ## /tmp/securefile secure file contents ## evil user does ln -s /tmp/securefile /home/rip/somefile.puppettmp ## manifest does file{"/home/rip/somefile": content => "managed by puppet\n" } ## runit notice: //File[/home/rip/somefile]/content: defined 'content' as '{md5}89a502238a07c7e92a7398383d88b7a2' ## /tmp/securefile puppet content -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
