Issue #5981 has been updated by Jesse Wolfe.
There are security implications of this change - there's a category of security
flaw that is susceptible to "symlink attacks", which is unfortunately very
common in unix programs
A contrived example:
file { "/home/alice/.ssh/authorized_keys":
follow => true,
content => "alice's key"
}
If Alice changes the symlink to target "/home/bob/.ssh/authorized_keys", and
puppet writes the file contents as root, Alice can gain access to Bob's user
account.
In theory it's possible to make this safer by setting puppet's effective user
ID such that it doesn't write the file as root (which is what we do in the
ssh_authorized_key provider), but not only is this extremely complicated to do
correctly on various unixes (see
http://www.stanford.edu/~stinson/cs155/notes/setuid.txt and
http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf for details),<br>but
in the general case I can't think of a "right answer" for which user's rights
puppet should assume: would it be the owner of the symlink? or the owner of the
directory that the symlink is in? Is it possible to do this without creating a
race condition where the symlink could still get changed in the time between
when Puppet checks the ownership and when Puppet writes the file?
so, I don't think sufficient research has been done to propose a solution yet.
As a workaround, manage the target file's contents as a separate resource.
----------------------------------------
Bug #5981: Puppet shouldn't overwrite symlinks when specifying content and
follow is on.
https://projects.puppetlabs.com/issues/5981
Author: Nigel Kersten
Status: Accepted
Priority: High
Assignee:
Category:
Target version: 2.6.x
Affected Puppet version:
Keywords:
Branch:
Illustration of the issue:
<pre>
kripke:~ nbk$ echo "target" > /tmp/target
kripke:~ nbk$ ln -s /tmp/target /tmp/symlink
kripke:~ nbk$ ls -l /tmp/target /tmp/symlink
lrwxr-xr-x 1 nbk wheel 11 Jan 23 14:43 /tmp/symlink -> /tmp/target
-rw-r--r-- 1 nbk wheel 7 Jan 23 14:43 /tmp/target
</pre>
<pre>
kripke:~ nbk$ puppet --version
2.6.4
kripke:~ nbk$ cat /tmp/test.pp
file { "/tmp/symlink":
ensure => present,
backup => false,
links => follow,
content => "content",
}
kripke:~ nbk$ puppet apply -v /tmp/test.pp
info: Applying configuration version '1295823089'
notice: /Stage[main]//File[/tmp/symlink]/content: content changed
'{md5}80fb1dd0b20823f1d83e10d25840e2e4' to
'{md5}9a0364b9e99bb480dd25e1f0284c8555'
kripke:~ nbk$ ls -la /tmp/target /tmp/symlink
-rw-r--r-- 1 nbk wheel 7 Jan 23 14:51 /tmp/symlink
-rw-r--r-- 1 nbk wheel 7 Jan 23 14:47 /tmp/target
</pre>
So even though we're not managing the symlink, and we've only got ensure set to
"present", and we have links set to follow, Puppet overwrites the symlink with
the contents, rather than the target.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
