Issue #5495 has been updated by Nick Lewis. Status changed from Accepted to Merged - Pending Release
A fix for this has been merged to 2.7.x in commit:1049458461b5ec5e1e48ad0244d63eb24626b09d, along with some refactoring to remove some dead Windows-specific code. If the command path specified is absolute, we will now individually check that it exists, is a file, and is executable, and raise exceptions appropriately. If it's relative, we will search for it in the specified path, and raise if no executable file is found. And we won't ever consider file paths relative to the cwd, even if the command is specified with a relative path. ---------------------------------------- Bug #5495: Exec resource searches CWD when testing file attributes of executables https://projects.puppetlabs.com/issues/5495 Author: Luke Bigum Status: Merged - Pending Release Priority: High Assignee: Nick Lewis Category: exec Target version: 2.7.x Affected Puppet version: 2.6.3 Keywords: Branch: I've noticed a problem with Exec resources that use an explicit or global default path seem to search the current working directory when testing the attributes on executable commands as part of 'unless', 'onlyif' or 'command' parameters where the binary is an unqualified (eg: "grep" vs "/bin/grep"). If the current working directory contains a file of the same name as what is to be executed in the Puppet manifest, then it may cause the Ruby sanity tests in type/exec.rb to fail. See the following terminal log for a demonstration: [root@host ~]# pwd /root [root@host ~]# cat test.pp exec { "test Exec": path => "/usr/sbin:/usr/bin:/sbin:/bin", command => "echo Woof", onlyif => "grep localhost /etc/hosts", } [root@host ~]# puppet apply test.pp notice: /Stage[main]//Exec[test Exec]/returns: executed successfully [root@host ~]# touch grep [root@host ~]# puppet apply test.pp err: /Stage[main]//Exec[test Exec]: Could not evaluate: 'grep' is not executable [root@host ~]# rm grep rm: remove regular empty file `grep'? y [root@host ~]# touch echo [root@host ~]# puppet apply test.pp err: /Stage[main]//Exec[test Exec]/returns: change from notrun to 0 failed: 'echo' is not executable [root@host ~]# rm echo rm: remove regular empty file `echo'? y [root@host ~]# puppet apply test.pp notice: /Stage[main]//Exec[test Exec]/returns: executed successfully >From what I can tell this is not a security issue though. I've tried embedding >a shell script of the same name as the binary in the CWD but it looks like >it's probably only the Ruby FileTest that has the problem, not the actual >execution of binaries: [root@host ~]# pwd /root [root@host ~]# cat grep #!/bin/bash touch Done_bad_stuff [root@host ~]# cat test.pp exec { "test Exec": path => "/usr/sbin:/usr/bin:/sbin:/bin", command => "echo Woof", onlyif => "grep localhost /etc/hosts", } [root@host ~]# puppet apply test.pp notice: /Stage[main]//Exec[test Exec]/returns: executed successfully [root@host ~]# ls -ld Done_bad_stuff ls: Done_bad_stuff: No such file or directory [root@host ~]# -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
