[Puppet - Bug #4299] Exec fails if command is in given path but "which" is not

tickets Mon, 04 Oct 2010 15:47:30 -0700

Issue #4299 has been updated by Markus Roberts.


Just talked this over with Luke; the change from 0.24.8 was (and still is) 
motivated by security concerns; having the default be to use a subshell 
needlessly exposes users to the possibility of shell injection attacks.  As the 
workaround proposed on the related tickets ("sh -c ...") becomes cumbersome 
under some circumstances (nested quoting) so I'll look into the possibility of 
having a flag ("insecure_subshell" or some such) to enable the desired 
behaviour.

----------------------------------------
Bug #4299: Exec fails if command is in given path but "which" is not
http://projects.puppetlabs.com/issues/4299

Author: Alan Harder
Status: Needs design decision
Priority: Normal
Assignee: 
Category: exec
Target version: 2.6.2
Affected version: 2.6.0
Keywords: 
Branch: 


<pre>node default {
  exec { 'test':
    command => 'puppet --version',
    path => '/opt/csw/bin',
    logoutput => true
  }
}</pre>

The above test on 2.6.0rc4 results in this error:

<pre>/opt/csw/lib/ruby/site_ruby/1.8/puppet/util/autoload.rb:79: command not 
found: which puppet
/opt/csw/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:558:in `checkexe'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/util/execution.rb:14:in `withenv'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:555:in `checkexe'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:607:in `run'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:120:in `sync'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:117:in `times'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:117:in `sync'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction/change.rb:34:in `apply'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:21:in 
`apply_changes'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:20:in 
`each'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:20:in 
`apply_changes'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:90:in 
`evaluate'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction.rb:49:in `apply'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction.rb:114:in 
`eval_children_and_apply_resource'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction.rb:92:in `eval_resource'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction.rb:143:in `evaluate'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/util.rb:414:in `thinmark'
/opt/csw/lib/ruby/1.8/benchmark.rb:308:in `realtime'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/util.rb:413:in `thinmark'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction.rb:142:in `evaluate'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `each'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/transaction.rb:135:in `evaluate'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:145:in `apply'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/configurer.rb:152:in `run'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/util.rb:175:in `benchmark'
/opt/csw/lib/ruby/1.8/benchmark.rb:308:in `realtime'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/util.rb:174:in `benchmark'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/configurer.rb:151:in `run'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/opt/csw/lib/ruby/1.8/sync.rb:229:in `synchronize'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/agent.rb:101:in `with_client'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `call'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/application.rb:171:in `controlled_run'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/application.rb:398:in `exit_on_fail'
/opt/csw/lib/ruby/site_ruby/1.8/puppet/application.rb:301:in `run'
/opt/csw/bin/puppetd:4
err: /Stage[main]//Node[default]/Exec[test]/returns: change from notrun to 0 
failed: Could not find command 'puppet'</pre>

Need to make sure /usr/bin is in the path so "which" can be found.  Not sure if 
this should just be documented, or if some change in puppet is needed.



-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

[Puppet - Bug #4299] Exec fails if command is in given path but "which" is not

Reply via email to