Issue #22095 has been reported by Yongchao Gao.
----------------------------------------
Bug #22095: Non-root user can use puppet-file to retrieve files served by
puppet
https://projects.puppetlabs.com/issues/22095
* Author: Yongchao Gao
* Status: Unreviewed
* Priority: Normal
* Assignee:
* Category:
* Target version:
* Affected Puppet version:
* Keywords:
* Branch:
----------------------------------------
If you can login to a puppet client and know a file path like this:
puppet:///modules/ssh/keys, you can use "puppet file" to retrieve its content,
like this:
puppet file --debug download puppet:///modules/ssh/keys
this will give you a md5 hash string, then:
puppet file find md5/${hash}
you will get it.
Is there any way i can avoid this security risk?
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.
