Jira (PUP-8985) manage_internal_file_permissions should default to the new packaging default
Title: Message Title Glenn Sarti updated an issue Puppet / PUP-8985 manage_internal_file_permissions should default to the new packaging default Change By: Glenn Sarti Story Points: 1 Team: Windows Sprint: Windows 2018-07-11 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8985) manage_internal_file_permissions should default to the new packaging default
Title: Message Title Glenn Sarti commented on PUP-8985 Re: manage_internal_file_permissions should default to the new packaging default Bringing into sprint as it's related to PUP-6729, CVE work, and it's a small change with tests. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8985) manage_internal_file_permissions should default to the new packaging default
Title: Message Title Glenn Sarti assigned an issue to Ethan Brown Puppet / PUP-8985 manage_internal_file_permissions should default to the new packaging default Change By: Glenn Sarti Assignee: Ethan Brown Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8985) manage_internal_file_permissions should default to the new packaging default
Title: Message Title Glenn Sarti created an issue Puppet / PUP-8985 manage_internal_file_permissions should default to the new packaging default Issue Type: Task Affects Versions: PUP 5.5.2, PUP 5.3.7, PUP 4.10.12 Assignee: Unassigned Created: 2018/07/05 8:57 PM Environment: Windows 10 - 1803 Priority: Normal Reporter: Glenn Sarti As part of remediation of CVE-2018-6513 the manage_internal_file_permissions was set to false, by default, in the Windows MSI installer (https://github.com/puppetlabs/puppet-agent-private/commit/fa06ae0de48d2560cf9f553cf4fc1540943af9b5). However the puppet gem default is still set to true. This should not be the case and both defaults 1. should mirror each other, and 2. the "manage_internal_file_permissions = true" behaviour should be optin This ticket tracks the work to change this default on Windows. Add Comment
Jira (PUP-8985) manage_internal_file_permissions should default to the new packaging default
Title: Message Title
Glenn Sarti updated an issue
Puppet / PUP-8985
manage_internal_file_permissions should default to the new packaging default
Change By:
Glenn Sarti
As part of remediation of CVE-2018-6513 the {{ manage_internal_file_permissions }} settings was set to false, by default, in the Windows MSI installer (https://github.com/puppetlabs/puppet-agent-private/commit/fa06ae0de48d2560cf9f553cf4fc1540943af9b5). However the puppet gem default is still set to true.This should not be the case and both defaults 1. should mirror each other, and 2. the "manage_internal_file_permissions = true" behaviour should be optinThis ticket tracks the work to change this default on Windows.
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Ethan Brown commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators I discussed manage_internal_file_permissions with Josh Cooper as well. I think we're both in agreement that we shouldn't allow it to be set to true on Windows because of all the potentially problematic side effects. I think we should probably file a couple of additional tickets on this: Warn / fail if manage_internal_file_permissions is true on Windows. I'm leaning toward fail given it will modify the perms work done for PUP-2019 + friends. Change the root? / admin? check on Windows to also vet that the user is part of the local Administrators group. Based on how permissions are now set, touching ProgramData with a user that is not Administrators is not a good idea and will certainly lead to problems. As Josh Cooper points out, the installer already covers adding the service user if it's not already a member of Administrators - https://github.com/puppetlabs/puppet-agent/blob/5e411af0080020f6952294182967d6d930823bb7/resources/windows/wix/users.wxs.erb#L7-L13. We're really only concerned with a few scenarios: Was the service user identity changed after the install (i.e. from SYSTEM to a domain account) Was the user purged from Administrators (could happen accidentally with Puppet for instance) Make sure that we never set SYSTEM perms as anything other than SYSTEM: (F) I think we should still double-check the scenario where Puppet is installed fresh, then the first run is performed from a scheduled task. The inheritable permissions laid down by the installer should be sufficient given they include Administrators: (OI)(CI)(F) and SYSTEM: (OI)(CI)(F), but we want to make sure given we know the owner of the file will be the actual user and not Administrators as new files are created. Windows defaults should allow that to happen without Puppet writing DACLs, but we want to double check that just to be certain, given some users run Puppet on a schedule rather than as a service. Add Comment
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Amy Lazarte Fix Version/s: PUP 5.5.z Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names This has passed CI. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte commented on PUP-8942 Re: Support issuing certificates with IP Address Subject Alternative Names The first two are correct, although there should be a space rather than an equals sign after --dns_alt_names. I'm not sure about the cert list -a output, so I'll look into that and get back to you. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Amy Lazarte QA Risk Assessment: No Action Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8984) Add JSON output option to `puppet parser validate`
Title: Message Title Jesse Scott updated an issue Puppet / PUP-8984 Add JSON output option to `puppet parser validate` Change By: Jesse Scott Summary: Puppet Add JSON output option to `puppet parser validate does not respect --render-as ` Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8984) Puppet parser validate does not respect --render-as
Title: Message Title Jesse Scott moved an issue Puppet / PUP-8984 Puppet parser validate does not respect --render-as Change By: Jesse Scott Issue Type: Bug Improvement Key: PDK PUP - 800 8984 Project: Puppet Development Kit Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Amy Lazarte Fix Version/s: PUP 5.5.z Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8942) Support issuing certificates with IP Address Subject Alternative Names
Title: Message Title Amy Lazarte updated an issue Puppet / PUP-8942 Support issuing certificates with IP Address Subject Alternative Names Change By: Amy Lazarte Fix Version/s: PUP 5.5.z Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2754) Exit status is 0, even in the presence of errors, without --detailed-exitcodes
Title: Message Title Ethan Brown commented on PUP-2754 Re: Exit status is 0, even in the presence of errors, without --detailed-exitcodes After giving some consideration to changing this behavior, the conclusion we've come to for now is that this won't be possible. Good or bad, the semantics for 0 and non-zero exit codes when --detailed-exitcodes is not set, center on whether Puppet was able to execute a catalog / generate a report or not. With a value of 1, a catalog could not be applied nor a report generated. Otherwise, Puppet returns 0, even when any (or many) resources in the catalog failed to apply properly. To get this more detailed information, use --detailed-exitcodes. We recognize this is not ideal, but there are applications that depend on this behavior that would be broken if it were to change. For instance, Nick Lewis has stated: [1:50 PM] Nick Lewis: ^ puppet-job/orchestrator rely pretty heavily on that behavior [1:51 PM] Nick Lewis: They treat exit code 0 to mean "the catalog was applied and a report was generated", and use the report as the source of whether the catalog itself was "successful", and exit code 1 to mean "the catalog was not applied" Newer orchestration solutions like Bolt or PE Tasks understand this behavior and are more integrated into Puppet workflows. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To
Jira (PUP-8983) validate_cmd creates tmp file with inconsistent permissions
Title: Message Title john commented on PUP-8983 Re: validate_cmd creates tmp file with inconsistent permissions have attempted a fix[1] for this. It is not a complete fix as the mode is not maintained. Further the uid/gid of the file on disk still takes preference over the `should` values. [1]https://github.com/puppetlabs/puppet/pull/6908 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8983) validate_cmd creates tmp file with inconsistent permissions
Title: Message Title
john commented on PUP-8983
Re: validate_cmd creates tmp file with inconsistent permissions
re-ran the tests specifying a mode on the file type on the results are the same, i.e. the mode of the temp file is not set to the `should` state
file {'/tmp/test/test':
ensure => file,
owner => 'jbond',
group => 'jbond',
mode => '0555',
content => 'foobar',
validate_cmd => '/bin/false ',
}
root@dev:~# while true ; do ls -l /tmp/test/ | grep test ; done
-rw--- 1 root root 6 Jul 5 18:53 test20180705-18902-1r3rv8u
root@dev:~# touch /tmp/test/test
root@dev:~# chown jbond:jbond !$
Jira (BOLT-650) Separate bolt-transports to be it's own package
Title: Message Title Lucy Wyman assigned an issue to Lucy Wyman Puppet Task Runner / BOLT-650 Separate bolt-transports to be it's own package Change By: Lucy Wyman Assignee: Lucy Wyman Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Geoff Nichols Sprint: Windows 2018-06-13, Windows 2018-06-27, Windows 2018-07-05 , Windows 2018-07-11 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8983) validate_cmd creates tmp file with inconsistent permissions
Title: Message Title
john created an issue
Puppet / PUP-8983
validate_cmd creates tmp file with inconsistent permissions
Issue Type:
Bug
Assignee:
Unassigned
Components:
Types and Providers
Created:
2018/07/05 9:55 AM
Priority:
Normal
Reporter:
john
Puppet Version: 5.5.0 Puppet Server Version: NA OS Name/Version: Linux & Mc OSX confirmed When the validate_cmd runs it creates a temporary file however the permissions it assigns to this temporary file are not related to the permissions defined on the file type object. Desired Behaviour: The temporary file used when running the validate command should have the exact same permissions as the file resources it is trying to create. e.g. with a file type of
file {'/tmp/test':
owner => 'foo',
group => 'bar',
mode => '0555',
validate_cmd => 'test
Jira (PUP-5880) Support optional dependencies in Metadata.json
Title: Message Title
Trevor Vaughan commented on PUP-5880
Re: Support optional dependencies in Metadata.json
I've implemented a version of this at https://github.com/simp/pupmod-simp-simplib/pull/148. The idea is that the calling code will become aware of the optional dependencies and be able to tell the user exactly what needs to be done in order to get the requirement met. For instance:
if $facts['operatingsystem'] == 'RedHat' {
simplib::assert_optional_dependency('puppet/yum')
}
This will look for the puppet/yum dependency and grab the release requirements from the metadata.json file. This means that you can actually have different scenarios based on what is present in your environment (if you so choose) and not have to create specific scenarios if you want to support multiple underlying implementations.
Add Comment
Jira (PUP-8982) user resource does not remove duplicate ssh keys in different locations
Title: Message Title
Gerhardus Geldenhuis created an issue
Puppet / PUP-8982
user resource does not remove duplicate ssh keys in different locations
Issue Type:
Improvement
Assignee:
Unassigned
Components:
Types and Providers
Created:
2018/07/05 3:52 AM
Priority:
Normal
Reporter:
Gerhardus Geldenhuis
This might be very obscure but if you specify the following:
user { 'jeff':
home => '/home/jeff',
purge_ssh_keys => ['/var/lib/ssh/jeff/authorized_keys','/home/jeff/.ssh/authorized_keys'],
}
And the keys in both locations are identical then only one location's keys will be removed. In my test this has been the last location's keys. If you run puppet apply two times then both locations keys will be removed. If you alter the keys to have different names then all
