The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #10908

puppet executing files in local directory, ignoring configured path when running OnlyIf/Unless

Added by Jo Rhett over 4 years ago. Updated almost 3 years ago.

Status:RejectedStart date:11/16/2011
Priority:UrgentDue date:
Assignee:-% Done:

0%

Category:exec
Target version:-
Affected Puppet version:2.6.12 Branch:
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

For reasons unclear to me, OnlyIf and Unless are checking file permissions in the current directory when running puppet agent or puppet apply, even though

  1. Current directory is not in the user’s path
  2. Current directory is not in the configured path

This causes puppet manifests to fail based on files in the local directory.

 $ vim insecure.pp
 exec { test:
   path      => '/bin:/usr/bin',
   command   => 'echo secure',
   onlyif    => 'test -d /tmp',
   logoutput => true,
 }
 $ touch test
 $ chmod 444 test
 $ puppet apply insecure.pp 
 err: /Stage[main]//Exec[test]: Could not evaluate: 'test' is not executable
 notice: Finished catalog run in 0.08 seconds

Oddly enough, it doesn’t seem to execute it — just checks the permissions.

$ chmod 755 test
$ puppet apply insecure.pp 
notice: /Stage[main]//Exec[test]/returns: secure
notice: /Stage[main]//Exec[test]/returns: executed successfully
notice: Finished catalog run in 0.17 seconds

This is at least a random failure case based on files in the puppet agent’s current directory, but I’m sure this is an exploitable security bug somehow.


Related issues

Related to Puppet - Bug #17603: Puppet execute has unexpected semantics Accepted

History

#1 Updated by James Turnbull over 4 years ago

  • Category set to exec
  • Assignee set to Jason McKerr

Jason – can we get someone to look this over and assess please.

#2 Updated by James Turnbull over 4 years ago

  • Status changed from Unreviewed to Needs Decision

#3 Updated by Anonymous over 4 years ago

  • Description updated (diff)
  • Assignee changed from Jason McKerr to Anonymous

#4 Updated by Anonymous over 4 years ago

  • Subject changed from security problem -- puppet executing files in local directory, ignoring configured path when running OnlyIf/Unless to puppet executing files in local directory, ignoring configured path when running OnlyIf/Unless
  • Status changed from Needs Decision to Rejected
  • Assignee changed from Anonymous to Dan Lowe

Hey. So, we investigated and this isn’t a security issue. We might mistake that we can run a command, but it will never execute something from the wrong directory.

This is actually fixed in the 2.7 series, and given the relatively fragile nature of this code we are not inclined to fix the problem in this release.

#5 Updated by Jo Rhett over 4 years ago

I find it incredibly un-pragmatic to have policies fail to run whenever someone creates a file in root which matches the name of an executable I am running.

You guys love to talk the talk about declarative, this behavior is downright random.

#6 Updated by Dan Lowe over 4 years ago

I’m confused; why this is assigned to me?

#7 Updated by James Turnbull over 4 years ago

  • Assignee changed from Dan Lowe to Anonymous

It should be – assigned to the PL person who closed it as last actioner.

#8 Updated by Anonymous almost 3 years ago

  • Assignee deleted (Anonymous)

Also available in: Atom PDF