Issue #21953 has been reported by Steven Willis.
----------------------------------------
Bug #21953: puppet module install uses user/group and permissions from the
tarball
https://projects.puppetlabs.com/issues/21953
* Author: Steven Willis
* Status: Unreviewed
* Priority: Urgent
* Assignee:
* Category: module tool
* Target version:
* Affected Puppet version: 3.2.2
* Keywords: module,forge,puppetforge,tar,user,group,permission
* Branch:
----------------------------------------
When you run the 'puppet module install' command as root it appears to download
a tarball from puppet forge, then simply extract it using 'tar xzf
TARBALL.tar.gz -C /some/tmp/dir', then moves it into place. From tar's man page:
-p, --preserve-permissions
extract information about file permissions (default for
superuser)
--same-owner
try extracting files with the same ownership as exists in the
archive (default for superuser)
So whatever user/group/permissions are set in the tarball when it's created
will be preserved when it's extracted. For example in:
https://forge.puppetlabs.com/puppetlabs/apache/0.8.1.tar.gz all the files are
owned by 'travis'. If you happen to have a 'travis' user on your system they
would become the owner of the files under
/etc/puppetlabs/puppet/modules/apache. This goes for groups as well, and I
think tar also uses uids and gids if it can't match up user and group names to
ones on the system. I just checked our /etc/puppetlabs/puppet/modules directory
and it's a mish-mash of random users and groups and even some non-existing
users/groups where you just see the uid or gid. I fixed it with a 'chown -R
root:pe-puppet /etc/puppetlabs/puppet/modules' (root:pe-puppet were the
user/group that owned that dir to begin with, it might vary on your system).
There's a similar issue with permissions. If someone uploads a module with a
world writable directory, a user on your system could write arbitrary code
there.
I think you want the script to call 'umask 0022' prior to extraction, and the
tar command should have '--owner root --group pe-puppet --no-same-permissions'.
Of course you may want to adjust the group from 'pe-puppet' as appropriate. It
might even be best to just have the group be 'root' as well. You might also
want to scrub tarballs when they're uploaded to puppet forge to change
user/group to root/root.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.
