Issue #10908 has been updated by Daniel Pittman. Subject changed from security problem -- puppet executing files in local directory, ignoring configured path when running OnlyIf/Unless to puppet executing files in local directory, ignoring configured path when running OnlyIf/Unless Status changed from Needs Decision to Rejected Assignee changed from Daniel Pittman to Dan Lowe
Hey. So, we investigated and this isn't a security issue. We might mistake that we can run a command, but it will never execute something from the wrong directory. This is actually fixed in the 2.7 series, and given the relatively fragile nature of this code we are not inclined to fix the problem in this release. ---------------------------------------- Bug #10908: puppet executing files in local directory, ignoring configured path when running OnlyIf/Unless https://projects.puppetlabs.com/issues/10908 Author: Jo Rhett Status: Rejected Priority: Urgent Assignee: Dan Lowe Category: exec Target version: Affected Puppet version: 2.6.12 Keywords: Branch: For reasons unclear to me, OnlyIf and Unless are checking file permissions in the current directory when running puppet agent or puppet apply, even though 1. Current directory is not in the user's path 2. Current directory is not in the configured path This causes puppet manifests to fail based on files in the local directory. <pre> $ vim insecure.pp exec { test: path => '/bin:/usr/bin', command => 'echo secure', onlyif => 'test -d /tmp', logoutput => true, } $ touch test $ chmod 444 test $ puppet apply insecure.pp err: /Stage[main]//Exec[test]: Could not evaluate: 'test' is not executable notice: Finished catalog run in 0.08 seconds </pre> Oddly enough, it doesn't seem to execute it -- just checks the permissions. <pre> $ chmod 755 test $ puppet apply insecure.pp notice: /Stage[main]//Exec[test]/returns: secure notice: /Stage[main]//Exec[test]/returns: executed successfully notice: Finished catalog run in 0.17 seconds </pre> This is at least a random failure case based on files in the puppet agent's current directory, but I'm sure this is an exploitable security bug somehow. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
