The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #10908

Updated by Anonymous almost 4 years ago

For reasons unclear to me, OnlyIf and Unless are checking file permissions in the current directory when running puppet agent or puppet apply, even though

1. Current directory is not in the user's path
2. Current directory is not in the configured path

This causes puppet manifests to fail based on files in the local directory.


$ vim insecure.pp
exec { test:
path => '/bin:/usr/bin',
command => 'echo secure',
onlyif => 'test -d /tmp',
logoutput => true,
$ touch test
$ chmod 444 test
$ puppet apply insecure.pp
err: /Stage[main]//Exec[test]: Could not evaluate: 'test' is not executable
notice: Finished catalog run in 0.08 seconds

Oddly enough, it doesn't seem to execute it -- just checks the permissions.

$ chmod 755 test
$ puppet apply insecure.pp
notice: /Stage[main]//Exec[test]/returns: secure
notice: /Stage[main]//Exec[test]/returns: executed successfully
notice: Finished catalog run in 0.17 seconds

This is at least a random failure case based on files in the puppet agent's current directory, but I'm sure this is an exploitable security bug somehow.