Issue #11845 has been updated by Daniel Pittman. Status changed from Investigating to Duplicate
I found the duplicate, #5224, and have linked the two tickets together. ---------------------------------------- Bug #11845: exec's as non-root user execute with a mixed environment https://projects.puppetlabs.com/issues/11845 Author: Chris MacLeod Status: Duplicate Priority: Normal Assignee: Daniel Pittman Category: exec Target version: Affected Puppet version: 2.7.9 Keywords: Branch: Given the following exec type you would expect it to run as the defined user with a correctly set environment (or at least a sanitized one). <pre> exec { 'test-cmd': command => 'env', path => [ '/bin', '/usr/bin', '/usr/local/bin' ], logoutput => 'true', user => 'testuser', } </pre> In reality what you get is: <pre> debug: Exec[test-cmd](provider=posix): Executing '/bin/env' debug: Executing '/bin/env' notice: /Stage[main]//Exec[test-cmd]/returns: HOSTNAME=vm02.XXXXX.com notice: /Stage[main]//Exec[test-cmd]/returns: TERM=screen notice: /Stage[main]//Exec[test-cmd]/returns: SHELL=/bin/bash notice: /Stage[main]//Exec[test-cmd]/returns: HISTSIZE=1000 notice: /Stage[main]//Exec[test-cmd]/returns: SSH_CLIENT=172.17.2.137 62498 22 notice: /Stage[main]//Exec[test-cmd]/returns: SSH_TTY=/dev/pts/0 notice: /Stage[main]//Exec[test-cmd]/returns: USER=root notice: /Stage[main]//Exec[test-cmd]/returns: LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36: notice: /Stage[main]//Exec[test-cmd]/returns: SSH_AUTH_SOCK=/tmp/ssh-QorKX31223/agent.31223 notice: /Stage[main]//Exec[test-cmd]/returns: COBBLER_SERVER=10.4.0.210 notice: /Stage[main]//Exec[test-cmd]/returns: MAIL=/var/spool/mail/root notice: /Stage[main]//Exec[test-cmd]/returns: PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/scala/bin:/root/bin notice: /Stage[main]//Exec[test-cmd]/returns: PWD=/root notice: /Stage[main]//Exec[test-cmd]/returns: LANG=C notice: /Stage[main]//Exec[test-cmd]/returns: HISTCONTROL=ignoredups notice: /Stage[main]//Exec[test-cmd]/returns: SHLVL=1 notice: /Stage[main]//Exec[test-cmd]/returns: HOME=/root notice: /Stage[main]//Exec[test-cmd]/returns: LOGNAME=root notice: /Stage[main]//Exec[test-cmd]/returns: CVS_RSH=ssh notice: /Stage[main]//Exec[test-cmd]/returns: SSH_CONNECTION=XXXXXXXXXX 62498 XXXXXXXXX 22 notice: /Stage[main]//Exec[test-cmd]/returns: LESSOPEN=|/usr/bin/lesspipe.sh %s notice: /Stage[main]//Exec[test-cmd]/returns: SCALA_HOME=/usr/local/scala notice: /Stage[main]//Exec[test-cmd]/returns: G_BROKEN_FILENAMES=1 notice: /Stage[main]//Exec[test-cmd]/returns: _=/usr/bin/puppet notice: /Stage[main]//Exec[test-cmd]/returns: OLDPWD=/root notice: /Stage[main]//Exec[test-cmd]/returns: LANGUAGE=C notice: /Stage[main]//Exec[test-cmd]/returns: LC_MESSAGES=C notice: /Stage[main]//Exec[test-cmd]/returns: LC_ALL=C notice: /Stage[main]//Exec[test-cmd]/returns: executed successfully </pre> Contrast this with the following exec <pre> exec { 'test-cmd2': command => 'id', path => [ '/bin', '/usr/bin', '/usr/local/bin' ], logoutput => 'true', user => 'testuser', } </pre> The output looks as follows: <pre> debug: Exec[test-cmd](provider=posix): Executing '/usr/bin/id' debug: Executing '/usr/bin/id' notice: /Stage[main]//Exec[test-cmd]/returns: uid=500(testuser) gid=501(testuser) groups=501(testuser),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) notice: /Stage[main]//Exec[test-cmd]/returns: executed successfully </pre> What's additionally interesting is that the environment is a mix, you have all the groups of the root user in addition to the groups of the target user. Some executions this doesn't bother, but others interpret the environment as root's environment rather than the user in question, which could have potentially harmful side effects when commands are intended to run as an unprivileged user. Even more troublesome still is that from a puppet report/logging standpoint everything executed correctly and only the end results indicate that the desired action was not performed. Administrators would not know these commands were run incorrectly without fairly deep review. At a minimum this is misleading, at worst it's a potential security vector I'd think (albiet minor). I was able to reproduce this on centos 5, 6 (puppet 2.7.6 and 2.7.9) as well as macosx (2.7.9). -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
