Issue #22095 has been updated by Yongchao Gao. Status changed from Needs More Information to Closed
Sorry, this problem is because i configured wrong in apache SSLVerifyClient must be require not optional ---------------------------------------- Bug #22095: Non-root user can use puppet-file to retrieve files served by puppet https://projects.puppetlabs.com/issues/22095#change-96513 * Author: Yongchao Gao * Status: Closed * Priority: Normal * Assignee: Yongchao Gao * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- If you can login to a puppet client and know a file path like this: puppet:///modules/ssh/keys, you can use "puppet file" to retrieve its content, like this: puppet file --debug download puppet:///modules/ssh/keys this will give you a md5 hash string, then: puppet file find md5/${hash} you will get it. Is there any way i can avoid this security risk? -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
