[Puppet - Bug #11845] (Unreviewed) exec's as non-root user execute with a mixed environment

[tickets]

Issue #11845 has been reported by Chris MacLeod.

----------------------------------------
Bug #11845: exec's as non-root user execute with a mixed environment
https://projects.puppetlabs.com/issues/11845

Author: Chris MacLeod
Status: Unreviewed
Priority: Normal
Assignee: 
Category: exec
Target version: 
Affected Puppet version: 2.7.9
Keywords: 
Branch: 


Given the following exec type you would expect it to run as the defined user 
with a correctly set environment (or at least a sanitized one).

exec { 'test-cmd':
  command => 'env',
  path => [ '/bin', '/usr/bin', '/usr/local/bin' ],
  logoutput => 'true',
  user => 'testuser',
}

In reality what you get is:
debug: Exec[test-cmd](provider=posix): Executing '/bin/env'
debug: Executing '/bin/env'
notice: /Stage[main]//Exec[test-cmd]/returns: HOSTNAME=vm02.XXXXX.com
notice: /Stage[main]//Exec[test-cmd]/returns: TERM=screen
notice: /Stage[main]//Exec[test-cmd]/returns: SHELL=/bin/bash
notice: /Stage[main]//Exec[test-cmd]/returns: HISTSIZE=1000
notice: /Stage[main]//Exec[test-cmd]/returns: SSH_CLIENT=172.17.2.137 62498 22
notice: /Stage[main]//Exec[test-cmd]/returns: SSH_TTY=/dev/pts/0
notice: /Stage[main]//Exec[test-cmd]/returns: USER=root
notice: /Stage[main]//Exec[test-cmd]/returns: 
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:
notice: /Stage[main]//Exec[test-cmd]/returns: 
SSH_AUTH_SOCK=/tmp/ssh-QorKX31223/agent.31223
notice: /Stage[main]//Exec[test-cmd]/returns: COBBLER_SERVER=10.4.0.210
notice: /Stage[main]//Exec[test-cmd]/returns: MAIL=/var/spool/mail/root
notice: /Stage[main]//Exec[test-cmd]/returns: 
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/scala/bin:/root/bin
notice: /Stage[main]//Exec[test-cmd]/returns: PWD=/root
notice: /Stage[main]//Exec[test-cmd]/returns: LANG=C
notice: /Stage[main]//Exec[test-cmd]/returns: HISTCONTROL=ignoredups
notice: /Stage[main]//Exec[test-cmd]/returns: SHLVL=1
notice: /Stage[main]//Exec[test-cmd]/returns: HOME=/root
notice: /Stage[main]//Exec[test-cmd]/returns: LOGNAME=root
notice: /Stage[main]//Exec[test-cmd]/returns: CVS_RSH=ssh
notice: /Stage[main]//Exec[test-cmd]/returns: SSH_CONNECTION=XXXXXXXXXX 62498 
XXXXXXXXX 22
notice: /Stage[main]//Exec[test-cmd]/returns: LESSOPEN=|/usr/bin/lesspipe.sh %s
notice: /Stage[main]//Exec[test-cmd]/returns: SCALA_HOME=/usr/local/scala
notice: /Stage[main]//Exec[test-cmd]/returns: G_BROKEN_FILENAMES=1
notice: /Stage[main]//Exec[test-cmd]/returns: _=/usr/bin/puppet
notice: /Stage[main]//Exec[test-cmd]/returns: OLDPWD=/root
notice: /Stage[main]//Exec[test-cmd]/returns: LANGUAGE=C
notice: /Stage[main]//Exec[test-cmd]/returns: LC_MESSAGES=C
notice: /Stage[main]//Exec[test-cmd]/returns: LC_ALL=C
notice: /Stage[main]//Exec[test-cmd]/returns: executed successfully

Contrast this with the following exec

exec { 'test-cmd2':
  command => 'id',
  path => [ '/bin', '/usr/bin', '/usr/local/bin' ],
  logoutput => 'true',
  user => 'testuser',
}

The output looks as follows:
debug: Exec[test-cmd](provider=posix): Executing '/usr/bin/id'
debug: Executing '/usr/bin/id'
notice: /Stage[main]//Exec[test-cmd]/returns: uid=500(testuser) 
gid=501(testuser) 
groups=501(testuser),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
notice: /Stage[main]//Exec[test-cmd]/returns: executed successfully

What's additionally interesting is that the environment is a mix, you have all 
the groups of the root user in addition to the groups of the target user.

Some executions this doesn't bother, but others interpret the environment as 
root's environment rather than the user in question, which could have 
potentially harmful side effects when commands are intended to run as an 
unprivileged user.  Even more troublesome still is that from a puppet 
report/logging standpoint everything executed correctly and only the end 
results indicate that the desired action was not performed.  Administrators 
would not know these commands were run incorrectly without fairly deep review.

At a minimum this is misleading, at worst it's a potential security vector I'd 
think (albiet minor).

I was able to reproduce this on centos 5, 6 (puppet 2.7.6 and 2.7.9) as well as 
macosx (2.7.9).


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.