Issue #21953 has been updated by Charlie Sharpsteen. Status changed from Unreviewed to Duplicate
Merging into #14333. ---------------------------------------- Bug #21953: puppet module install uses user/group and permissions from the tarball https://projects.puppetlabs.com/issues/21953#change-95567 * Author: Steven Willis * Status: Duplicate * Priority: Urgent * Assignee: * Category: module tool * Target version: * Affected Puppet version: 3.2.2 * Keywords: module,forge,puppetforge,tar,user,group,permission, customer * Branch: ---------------------------------------- When you run the 'puppet module install' command as root it appears to download a tarball from puppet forge, then simply extract it using 'tar xzf TARBALL.tar.gz -C /some/tmp/dir', then moves it into place. From tar's man page: -p, --preserve-permissions extract information about file permissions (default for superuser) --same-owner try extracting files with the same ownership as exists in the archive (default for superuser) So whatever user/group/permissions are set in the tarball when it's created will be preserved when it's extracted. For example in: https://forge.puppetlabs.com/puppetlabs/apache/0.8.1.tar.gz all the files are owned by 'travis'. If you happen to have a 'travis' user on your system they would become the owner of the files under /etc/puppetlabs/puppet/modules/apache. This goes for groups as well, and I think tar also uses uids and gids if it can't match up user and group names to ones on the system. I just checked our /etc/puppetlabs/puppet/modules directory and it's a mish-mash of random users and groups and even some non-existing users/groups where you just see the uid or gid. I fixed it with a 'chown -R root:pe-puppet /etc/puppetlabs/puppet/modules' (root:pe-puppet were the user/group that owned that dir to begin with, it might vary on your system). There's a similar issue with permissions. If someone uploads a module with a world writable directory, a user on your system could write arbitrary code there. I think you want the script to call 'umask 0022' prior to extraction, and the tar command should have '--owner root --group pe-puppet --no-same-permissions'. Of course you may want to adjust the group from 'pe-puppet' as appropriate. It might even be best to just have the group be 'root' as well. You might also want to scrub tarballs when they're uploaded to puppet forge to change user/group to root/root. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
