Issue #14333 has been updated by Ken Barber. Assignee set to Ken Barber Target version set to 2.7.x Affected Puppet version set to 2.7.16
> Is it safe to assume GNU tar on all systems? Good question. The answer simply is 'no'. I will have to suss out the various BSD variants: OpenBSD, DragonflyBSD and FreeBSD and see options they provide. For Solaris, I'm already edging towards just working with 'gtar' (in fact today Solaris won't work in most cases because 'tar' is often Sun tar). If there are variations, I can always have case statements to handle that. For example BSD tar support in Darwin has the -o option (—no-same-owner), but not the —no-same-permissions switch. Its almost a shame we don't have a fact for telling us what variant of tar is in the path :-). For Windows, we're probably going to have to ship a Ruby tar library, so we should be able to keep control. At the moment it isn't supported. Of course I'm happy to fall back to a chown if this works out badly, just exploring possibilites now. ---------------------------------------- Bug #14333: Tool should check/unset uid/gid of files in tarball before installing and/or building https://projects.puppetlabs.com/issues/14333#change-65380 Author: Michael Arnold Status: Accepted Priority: Normal Assignee: Ken Barber Category: module tool Target version: 2.7.x Affected Puppet version: 2.7.16 Keywords: security Branch: PMT should cleanse uid/gid in module tarball: When running PMT as root, tarball contents are blown open using the UID/GID provided in the tarball. This could be a security problem as files could be owned by non-root users on the puppetmaster. <pre># puppet help|tail -1 Puppet v2.7.14 # puppet module install razorsedge-vmwaretools Preparing to install into /etc/puppet/modules ... Downloading from http://forge.puppetlabs.com ... Installing -- do not interrupt ... /etc/puppet/modules └── razorsedge-vmwaretools (v4.0.0) # ls -l /etc/puppet/modules total 16 drwxr-xr-x. 8 502 games 4096 May 5 18:55 stdlib drwxrwxrwx. 5 500 install 4096 May 5 18:58 vmwaretools </pre> Solution: Have PMT `chown -R 0:0 moduledir` after download. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
