The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #10908

Updated by Anonymous about 3 years ago

For reasons unclear to me, OnlyIf and Unless are checking file permissions in the current directory when running puppet agent or puppet apply, even though

1. Current directory is not in the user's path
2. Current directory is not in the configured path

This causes puppet manifests to fail based on files in the local directory.

<pre>


$ vim insecure.pp
exec { test:
path => '/bin:/usr/bin',
command => 'echo secure',
onlyif => 'test -d /tmp',
logoutput => true,
}
$ touch test
$ chmod 444 test
$ puppet apply insecure.pp
err: /Stage[main]//Exec[test]: Could not evaluate: 'test' is not executable
notice: Finished catalog run in 0.08 seconds
</pre>


Oddly enough, it doesn't seem to execute it -- just checks the permissions.

<pre>
$ chmod 755 test
$ puppet apply insecure.pp
notice: /Stage[main]//Exec[test]/returns: secure
notice: /Stage[main]//Exec[test]/returns: executed successfully
notice: Finished catalog run in 0.17 seconds
</pre>


This is at least a random failure case based on files in the puppet agent's current directory, but I'm sure this is an exploitable security bug somehow.

Back