Issue #9790 has been updated by Daniel Pittman.
I have audited the codebase, and the only other place that uses `chown` or `chmod` in even vaguely dubious ways are the AIX and Sun crontab providers. They are dubious only in that they chown the file to the target user, rather than invoking the crontab command as root, which is a limitation of the tool; there shouldn't be any risk here that wouldn't already be present as the appropriate user. A quick scan suggests we have little risk around other methods, as we don't use (eg) access(3) to verify access, rather depending on exceptions to indicate post-hoc failure. I believe that the changes supplied are sufficient to secure the codebase against this immediate attack, but a full audit of types and providers would be wise, to ensure that we are safely handling files everywhere. I have a patch ready for 2.6.x, and will attach it, and patches for 0.25, and 2.7.x, once I have merged the changes across. ---------------------------------------- Bug #9790: TOCTOU vulnerability in ssh_authorized_keys. https://projects.puppetlabs.com/issues/9790 Author: Daniel Pittman Status: Accepted Priority: Normal Assignee: Daniel Pittman Category: security Target version: Affected Puppet version: Keywords: Branch: There was a TOCTOU vulnerability in ssh_authorized_keys, and theoretically in the Solaris and AIX providers, where file ownership was given away before it was written. This was bad, because it allowed a user to overwrite arbitrary files as root, if their authorized_keys file was managed. Credit to Ricky Zhou <[email protected]> for the discovery and fix. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
