Issue #22095 has been updated by Charlie Sharpsteen. Status changed from Unreviewed to Needs More Information Assignee set to Yongchao Gao
Which version of Puppet are you running? Are the permissions on your agent keys, /var/lib/puppet/ssl/private_keys, set to disallow reading by non-root users? ---------------------------------------- Bug #22095: Non-root user can use puppet-file to retrieve files served by puppet https://projects.puppetlabs.com/issues/22095#change-96119 * Author: Yongchao Gao * Status: Needs More Information * Priority: Normal * Assignee: Yongchao Gao * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- If you can login to a puppet client and know a file path like this: puppet:///modules/ssh/keys, you can use "puppet file" to retrieve its content, like this: puppet file --debug download puppet:///modules/ssh/keys this will give you a md5 hash string, then: puppet file find md5/${hash} you will get it. Is there any way i can avoid this security risk? -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
