Jira (BOLT-1502) Do not rely on wrapper script for run-as with stdin task input
Title: Message Title Chris Cowell updated an issue Puppet Task Runner / BOLT-1502 Do not rely on wrapper script for run-as with stdin task input Change By: Chris Cowell Labels: docs docs_reviewed Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.319291.1564682997000.64840.1566343860194%40Atlassian.JIRA.
Jira (BOLT-1502) Do not rely on wrapper script for run-as with stdin task input
Title: Message Title Cas Donoghue updated an issue Puppet Task Runner / BOLT-1502 Do not rely on wrapper script for run-as with stdin task input Change By: Cas Donoghue Release Notes: Not Needed Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.319291.1564682997000.60671.1566228240403%40Atlassian.JIRA.
Jira (BOLT-1502) Do not rely on wrapper script for run-as with stdin task input
Title: Message Title Cas Donoghue updated an issue Puppet Task Runner / BOLT-1502 Do not rely on wrapper script for run-as with stdin task input Change By: Cas Donoghue Labels: docs Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.319291.1564682997000.60667.1566228180235%40Atlassian.JIRA.
Jira (BOLT-1502) Do not rely on wrapper script for run-as with stdin task input
Title: Message Title Cas Donoghue updated an issue Puppet Task Runner / BOLT-1502 Do not rely on wrapper script for run-as with stdin task input Change By: Cas Donoghue Fix Version/s: BOLT Next Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.319291.1564682997000.60668.1566228180245%40Atlassian.JIRA.
Jira (BOLT-1502) Do not rely on wrapper script for run-as with stdin task input
Title: Message Title Nick Lewis commented on BOLT-1502 Re: Do not rely on wrapper script for run-as with stdin task input We need to introduce a slightly more complex state machine to the SSH transport. We should now hold off on submitting stdin until we see a marker message indicating the command has started executing. We should string the command together with an echo of a randomly generated message, and our on_data handler should check for that message and then submit stdin. It should track some state indicating it's sent stdin, to prevent it from being sent multiple times. So in the case where you're using sudo with a password, the on_data handler will first notice the password prompt and send the password, then once sudo has successfully escalated, it will run the echo, and then the on_data will see the message indicating it's time to send stdin. We can either vary this behavior based on whether you're using sudo or we can always include the echo, depending on which seems more sensible in the actual implementation. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.319291.1564682997000.47396.1565213100105%40Atlassian.JIRA.
Jira (BOLT-1502) Do not rely on wrapper script for run-as with stdin task input
Title: Message Title Cas Donoghue assigned an issue to Cas Donoghue Puppet Task Runner / BOLT-1502 Do not rely on wrapper script for run-as with stdin task input Change By: Cas Donoghue Assignee: Cas Donoghue Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.319291.1564682997000.46500.1565188680072%40Atlassian.JIRA.
Jira (BOLT-1502) Do not rely on wrapper script for run-as with stdin task input
Title: Message Title Lucy Wyman updated an issue Puppet Task Runner / BOLT-1502 Do not rely on wrapper script for run-as with stdin task input Change By: Lucy Wyman Sprint: Bolt Ready for Grooming Kanban Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.319291.1564682997000.44554.1565109960576%40Atlassian.JIRA.
Jira (BOLT-1502) Do not rely on wrapper script for run-as with stdin task input
Title: Message Title Cas Donoghue created an issue Puppet Task Runner / BOLT-1502 Do not rely on wrapper script for run-as with stdin task input Issue Type: Improvement Assignee: Unassigned Created: 2019/08/01 11:09 AM Priority: Normal Reporter: Cas Donoghue Currently tasks run with the run-as option rely on laying down a wrapper script to direct task input data over stdin. There are several issues with this approach, the first is that the wrapper script can contain sensitive data in clear text. A ticket describing an idea to minimize the time the wrapper script lives on disk has been filed under https://tickets.puppetlabs.com/browse/BOLT-1329 The second issue described has to do with file permissions of the wrapper script when run on the local transport which is ticketed under https://tickets.puppetlabs.com/browse/BOLT-1283 Instead of relying on the wrapper script we should investigate a solution that does not involve one. The solution should be able to safely pass the input data (even if it is very large) to the task over stdin even if it is ambigious whether a sudo password is required. The solution should avoid problems with passing the data over the bash CLI such as Argument list too long and exposing the sensitive data in the process list or in the shell history. A commit with some discussion and potential pitfalls is https://github.com/puppetlabs/bolt/pull/1109 From Nlew on slack: The root issue is that there’s only one stdin, and both the password for sudo and the parameters of the task need to be on stdin. But the password should only be on stdin if sudo asks for it. But we don’t know how to conclusively determine that sudo doesn’t need the password. So we skirt around that by wrapping the task executable in a script that also passes its stdin, so in the case where sudo doesn’t need the password, it will just start executing the script, which will pass stdin to the task. Ansible’s solution is basically to instead run sudo 'echo "okay done with sudo, please pass stdin now"; /path/to/actual/task, and then it waits to see the “done with sudo” message before passing the task parameters on stdin
