Issue #8986 has been updated by Daniel Pittman.
File ricky-zhou-security.patch added
Ricky Zhou, on the mailing list, says:
This seems dangerous, as when the authorized_keys file is in a location
that is writable by the user, the user can make it a symlink to say,
/etc/shadow and get puppet to write to it.
Looking at the rest of this code, there is currently a chown that occurs
before privileges are dropped, which looks like it might be a security
vulnerability:
In the flush method in lib/puppet/provider/ssh_authorized_key/parsed.rb:
unless File.exist?(dir = File.dirname(target))
Puppet.debug "Creating #{dir}"
Dir.mkdir(dir, dir_perm)
File.chown(uid, nil, dir)
end
If a user manages to replace the directory with a symlink to /etc right before
the chown call, then it will be chowned to the user (chown follows symlinks,
lchown does not).
The chown and chmod commands at the end of the function are also potentially
dangerous, since both of these will follow symlinks. Here's a patch which
moves both of these into the block which is run with dropped privileges. I
removed the chown call entirely, as it should the file should already be owned
by the right user when it's created.
----------------------------------------
Bug #8986: ssh_authorized_key not setting user permissions in the proper manner.
https://projects.puppetlabs.com/issues/8986
Author: Trevor Vaughan
Status: In Topic Branch Pending Merge
Priority: Normal
Assignee: Kelsey Hightower
Category: ssh
Target version:
Affected Puppet version: 2.7.3
Keywords:
Branch: https://github.com/khightower/puppet/commits/bug/master/8986
In the olden days, ssh_authorized_key, when provided with the 'user' option,
would simply set the ownership of the key to that user.
This worked as I expected.
Now, the ssh_authorized_key type appears to try to write the file *as* the
user. This is incorrect since you may, or may not, be writing the key to
somewhere that the user is allowed write access.
To work around this problem, you need to declare a file statement for every
ssh_authorized_key statement which is cumbersome.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
