Issue #14333 has been updated by Ken Barber.
> It might be simpler to run checks on packages in puppet forge at the upload > stage to standardise the file ownership and runs some checks on permissions. > (eg files should not be executable or suid). Doing the checks in the forge > gets you away from issues like what version of tar you are running, and also > improves quality for people who download from the forge without using `puppet > module install`. Absolutely. Both sides need to be covered I would argue, as someone might create a puppet module, and ship it outside of the forge. So for this very reason, we still don't completely get away from worrying about the version of system tar. ---------------------------------------- Bug #14333: Tool should check/unset uid/gid of files in tarball before installing and/or building https://projects.puppetlabs.com/issues/14333#change-70103 Author: Michael Arnold Status: Needs Decision Priority: Normal Assignee: Ken Barber Category: module tool Target version: 2.7.x Affected Puppet version: 2.7.16 Keywords: security Branch: https://github.com/kbarber/puppet/tree/ticket/2.7.x/14333-no_permission_preserve PMT should cleanse uid/gid in module tarball: When running PMT as root, tarball contents are blown open using the UID/GID provided in the tarball. This could be a security problem as files could be owned by non-root users on the puppetmaster. <pre># puppet help|tail -1 Puppet v2.7.14 # puppet module install razorsedge-vmwaretools Preparing to install into /etc/puppet/modules ... Downloading from http://forge.puppetlabs.com ... Installing -- do not interrupt ... /etc/puppet/modules └── razorsedge-vmwaretools (v4.0.0) # ls -l /etc/puppet/modules total 16 drwxr-xr-x. 8 502 games 4096 May 5 18:55 stdlib drwxrwxrwx. 5 500 install 4096 May 5 18:58 vmwaretools </pre> Solution: Have PMT `chown -R 0:0 moduledir` after download. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
