Issue #22095 has been updated by Yongchao Gao.
And my auth.conf: path ~ ^/catalog/([^/]+)$ method find allow $1 path /certificate_revocation_list/ca method find allow * path /report method save allow * path /file allow * path /certificate/ca auth no method find allow * path /certificate/ auth no method find allow * path /certificate_request auth no method find, save allow * path / auth any allow_ip 192.168.32.2 the last ip is load balancer's ip (apache) ---------------------------------------- Bug #22095: Non-root user can use puppet-file to retrieve files served by puppet https://projects.puppetlabs.com/issues/22095#change-96381 * Author: Yongchao Gao * Status: Needs More Information * Priority: Normal * Assignee: Yongchao Gao * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- If you can login to a puppet client and know a file path like this: puppet:///modules/ssh/keys, you can use "puppet file" to retrieve its content, like this: puppet file --debug download puppet:///modules/ssh/keys this will give you a md5 hash string, then: puppet file find md5/${hash} you will get it. Is there any way i can avoid this security risk? -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
