Issue #9790 has been updated by Daniel Pittman. File 0.25.x-9791-TOCTOU-in-ssh-auth-keys-type.patch added File 2.6.x-9791-TOCTOU-in-ssh-auth-keys-type.patch added
Two patches attached: one for 0.25.x, and one for 2.6.x. The second applies cleanly to 2.7.x as it stands right now, so I am not going to copy it to another name. These are just test fixes and the work of Ricky, which is awesome. For the release: Puppet was vulnerable to a race in the `ssh_authorized_keys` type when the target directory and file did not exist. Specifically, we created the directory, ensured it was user-writeable, then wrote the file as the user, then finally changed ownership to the user. In the space between the write and chown/chmod operations a user could replace the file with a symbolic link and have the operation apply to anything, anywhere on disk. This would allow privilege escalation to root through standard TOCTOU attack techniques. Unlike most Puppet types, this risk is exacerbated by the nature of the `ssh_authorized_keys` type: it manages data that is almost exclusively in directories controlled by unprivileged, and likely untrusted, users. Now, all file operations are done with the privileges of the target user, ensuring that a user can cause no more harm than simply having an account on the system could cause. Thanks to Ricky Zhou <[email protected]> for discovering the issue, and supplying the fix. ---------------------------------------- Bug #9790: TOCTOU vulnerability in ssh_authorized_keys. https://projects.puppetlabs.com/issues/9790 Author: Daniel Pittman Status: Accepted Priority: Normal Assignee: Daniel Pittman Category: security Target version: Affected Puppet version: Keywords: Branch: There was a TOCTOU vulnerability in ssh_authorized_keys, and theoretically in the Solaris and AIX providers, where file ownership was given away before it was written. This was bad, because it allowed a user to overwrite arbitrary files as root, if their authorized_keys file was managed. Credit to Ricky Zhou <[email protected]> for the discovery and fix. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
