Issue #22095 has been updated by Yongchao Gao.
Charlie Sharpsteen wrote: > Which version of Puppet are you running? > > Are the permissions on your agent keys, /var/lib/puppet/ssl/private_keys, set > to disallow reading by non-root users? Our Puppet version is 3.1.1, /var/lib/puppet/ssl/ is empty, maybe you mean /etc/puppet/ssl, there is a 'private_keys' dir, and can only read by user 'puppet'. ---------------------------------------- Bug #22095: Non-root user can use puppet-file to retrieve files served by puppet https://projects.puppetlabs.com/issues/22095#change-96150 * Author: Yongchao Gao * Status: Needs More Information * Priority: Normal * Assignee: Yongchao Gao * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- If you can login to a puppet client and know a file path like this: puppet:///modules/ssh/keys, you can use "puppet file" to retrieve its content, like this: puppet file --debug download puppet:///modules/ssh/keys this will give you a md5 hash string, then: puppet file find md5/${hash} you will get it. Is there any way i can avoid this security risk? -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
