The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
Filebuckets expose files on puppet master
|Assignee:||Andrew Parker||% Done:|
|Affected Puppet version:||Branch:|
Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com
This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.
It is possible to construct a REST request to fetch a file from a filebucket that overrides the puppet master’s defined location for the files to be stored. If a user has access to construct directories and symlinks on the machine they can read any file that the user the puppet master is running as has access to.
The user needs to be able to issue a rest request and so will probably also need access to SSL keys from an agent.
#2 Updated by Andrew Parker over 2 years ago
- Status changed from Accepted to In Topic Branch Pending Review
Fixes in branches: