[Puppet - Bug #19423] (Rejected) Puppet puts contents into files before adjusting permissions.

[tickets]

Issue #19423 has been updated by Dominic Cleal.

Status changed from Unreviewed to Rejected

I think this is just down to how Puppet reports the change - it appears to be 
doing the correct thing.  Puppet first creates a temporary file with the 
expected permissions (taken from the mode property), then renames it over the 
top of the existing one.

    $ ll /tmp/foo
    -rw-r--r--. 1 dcleal dcleal 0 Feb 23 18:44 /tmp/foo
    $ puppet apply -e 'file { "/tmp/foo": mode => 0600, content => "bar" }'
    
    From: /home/dcleal/code/puppet/puppet/lib/puppet/type/file.rb @ line 742 
file#write:
    
        737:       ensure
        738:         # Make sure the created file gets removed
        739:         ::File.unlink(path) if FileTest.exists?(path)
        740:       end
        741:     end
     => 742: binding.pry
        743:     # make sure all of the modes are actually correct
        744:     property_fix
        745: 
        746:   end
        747: 
    
    [1] pry(#<Puppet::Type::File>)> . ls -l /tmp/foo
    -rw-------. 1 dcleal dcleal 3 Feb 23 18:46 /tmp/foo
    [2] pry(#<Puppet::Type::File>)> 
    Notice: /Stage[main]//File[/tmp/foo]/content: content changed 
'{md5}d41d8cd98f00b204e9800998ecf8427e' to 
'{md5}37b51d194a7513e45b56f6524f2d51f2'
    Notice: /Stage[main]//File[/tmp/foo]/mode: mode changed '0644' to '0600'
    Notice: Finished catalog run in 7.77 seconds

----------------------------------------
Bug #19423: Puppet puts contents into files before adjusting permissions.
https://projects.puppetlabs.com/issues/19423#change-83774

Author: Tobias Hunger
Status: Rejected
Priority: Normal
Assignee: 
Category: file
Target version: 
Affected Puppet version: development
Keywords: file
Branch: master


I am configuring SSH via puppet using this configuration:
    file { "/etc/ssh/sshd_config" :
        ensure => present,
        owner => "root",
        group => "root",
        mode => 0600,
        source => "puppet:///modules/openssh/sshd_config",
    }

Checking the log I noticed that puppet puts the contents into the file and only 
then adjust the permissions from 644 to 600. This could potentially lead to 
information in this file being disclosed to local users.

Could you please create an empty file, set owner and group and permissions on 
it and only then add the contents?


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.