Issue #14333 has been updated by Andrew McNaughton.
Ken Barber wrote: > > Is it safe to assume GNU tar on all systems? > > Good question. > > The answer simply is 'no'. I will have to suss out the various BSD variants: > OpenBSD, DragonflyBSD and FreeBSD and see what options they provide. For > Solaris, I'm already edging towards just working with 'gtar' (in fact today > Solaris won't work in most cases because 'tar' is often Sun tar). > > If there are variations, I can always have case statements to handle that. > For example BSD tar support in Darwin has the -o option (—no-same-owner), but > not the —no-same-permissions switch. Its almost a shame we don't have a fact > for telling us what variant of tar is in the path :-). > > For Windows, we're probably going to have to ship a Ruby tar library, so we > should be able to keep control. At the moment it isn't supported. > > Of course I'm happy to fall back to a chown if this works out badly, just > exploring possibilites now. It might be simpler to run checks on packages in puppet forge at the upload stage to standardise the file ownership and runs some checks on permissions. (eg files should not be executable or suid). Doing the checks in the forge gets you away from issues like what version of tar you are running, and also improves quality for people who download from the forge without using `puppet module install`. ---------------------------------------- Bug #14333: Tool should check/unset uid/gid of files in tarball before installing and/or building https://projects.puppetlabs.com/issues/14333#change-70102 Author: Michael Arnold Status: Needs Decision Priority: Normal Assignee: Ken Barber Category: module tool Target version: 2.7.x Affected Puppet version: 2.7.16 Keywords: security Branch: https://github.com/kbarber/puppet/tree/ticket/2.7.x/14333-no_permission_preserve PMT should cleanse uid/gid in module tarball: When running PMT as root, tarball contents are blown open using the UID/GID provided in the tarball. This could be a security problem as files could be owned by non-root users on the puppetmaster. <pre># puppet help|tail -1 Puppet v2.7.14 # puppet module install razorsedge-vmwaretools Preparing to install into /etc/puppet/modules ... Downloading from http://forge.puppetlabs.com ... Installing -- do not interrupt ... /etc/puppet/modules └── razorsedge-vmwaretools (v4.0.0) # ls -l /etc/puppet/modules total 16 drwxr-xr-x. 8 502 games 4096 May 5 18:55 stdlib drwxrwxrwx. 5 500 install 4096 May 5 18:58 vmwaretools </pre> Solution: Have PMT `chown -R 0:0 moduledir` after download. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
