Issue #5495 has been updated by Nick Lewis.

Status changed from Accepted to Merged - Pending Release

A fix for this has been merged to 2.7.x in 
commit:1049458461b5ec5e1e48ad0244d63eb24626b09d, along with some refactoring to 
remove some dead Windows-specific code.

If the command path specified is absolute, we will now individually check that 
it exists, is a file, and is executable, and raise exceptions appropriately. If 
it's relative, we will search for it in the specified path, and raise if no 
executable file is found. And we won't ever consider file paths relative to the 
cwd, even if the command is specified with a relative path.
----------------------------------------
Bug #5495: Exec resource searches CWD when testing file attributes of 
executables
https://projects.puppetlabs.com/issues/5495

Author: Luke Bigum
Status: Merged - Pending Release
Priority: High
Assignee: Nick Lewis
Category: exec
Target version: 2.7.x
Affected Puppet version: 2.6.3
Keywords: 
Branch: 


I've noticed a problem with Exec resources that use an explicit or global 
default path seem to search the current working directory when testing the 
attributes on executable commands as part of 'unless', 'onlyif' or 'command' 
parameters where the binary is an unqualified (eg: "grep" vs "/bin/grep"). If 
the current working directory contains a file of the same name as what is to be 
executed in the Puppet manifest, then it may cause the Ruby sanity tests in 
type/exec.rb to fail.

See the following terminal log for a demonstration:

    [root@host ~]# pwd
    /root
    [root@host ~]# cat test.pp
    exec { "test Exec":
    path => "/usr/sbin:/usr/bin:/sbin:/bin",
    command => "echo Woof",
    onlyif => "grep localhost /etc/hosts",
    }
    [root@host ~]# puppet apply test.pp
    notice: /Stage[main]//Exec[test Exec]/returns: executed successfully
    [root@host ~]# touch grep
    [root@host ~]# puppet apply test.pp
    err: /Stage[main]//Exec[test Exec]: Could not evaluate: 'grep' is not 
executable
    [root@host ~]# rm grep
    rm: remove regular empty file `grep'? y
    [root@host ~]# touch echo
    [root@host ~]# puppet apply test.pp
    err: /Stage[main]//Exec[test Exec]/returns: change from notrun to 0 failed: 
'echo' is not executable
    [root@host ~]# rm echo
    rm: remove regular empty file `echo'? y
    [root@host ~]# puppet apply test.pp
    notice: /Stage[main]//Exec[test Exec]/returns: executed successfully

>From what I can tell this is not a security issue though. I've tried embedding 
>a shell script of the same name as the binary in the CWD but it looks like 
>it's probably only the Ruby FileTest that has the problem, not the actual 
>execution of binaries:

    [root@host ~]# pwd
    /root
    [root@host ~]# cat grep
    #!/bin/bash
    touch Done_bad_stuff
    [root@host ~]# cat test.pp
    exec { "test Exec":
    path => "/usr/sbin:/usr/bin:/sbin:/bin",
    command => "echo Woof",
    onlyif => "grep localhost /etc/hosts",
    }
    [root@host ~]# puppet apply test.pp
    notice: /Stage[main]//Exec[test Exec]/returns: executed successfully
    [root@host ~]# ls -ld Done_bad_stuff
    ls: Done_bad_stuff: No such file or directory
    [root@host ~]#


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to