The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #12458

Only euid changed, not egid

Added by Anonymous about 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:02/06/2012
Priority:NormalDue date:
Assignee:Dominic Maraglia% Done:


Target version:2.7.11
Affected Puppet version: Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


2a. Only euid changed, not egid

The second problem occurs when only a target user is given to the SUIDManager asuser method as opposed to a target user and group, as is the case in the following places: lib/puppet/provider/ssh_authorized_key/parsed.rb:59 lib/puppet/type/file/target.rb:46

In this case, the SUIDManager asuser method at lib/puppet/util/suidmanager.rb:78 doesn’t change the egid, only the euid, so the egid remains as root.

It seems to me that the gid should be set sensibly if only the user is specified, rather than the default of root.

2b. Demo

I’ve used the following contrived manifest to demonstrate these two issues leave us with group privs, but I haven’t thought of a reasonable way to exploit this under normal conditions.

ssh_authorized_key { “test”: ensure => present, key => “AAAA”, type => “ssh-rsa”, user => “nobody”, target => “/tmp/suidbug/file”, }


mkdir /tmp/suidbug

touch /tmp/suidbug/file

chmod -R g+w /tmp/suidbug

ll /tmp/suidbug/file

-rw-rw-r—. 1 root root 0 Feb 4 20:17 /tmp/suidbug/file

puppet apply sshauthkeys.pp

notice: /Stage[main]//Ssh_authorized_key[test]/ensure: created err: /Stage[main]//Ssh_authorized_key[test]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /tmp/suidbug/file: Permission denied – /tmp/suidbug/file notice: Finished catalog run in 0.03 seconds

ll /tmp/suidbug/file

-rw-rw-r—. 1 root root 196 Feb 4 20:19 /tmp/suidbug/file

cat /tmp/suidbug/file

HEADER: This file was autogenerated at Sat Feb 04 20:19:04 +0100 2012

HEADER: by puppet. While it can still be managed manually, it

HEADER: is definitely not recommended.

ssh-rsa AAAA test

2c. Fixing

I’ve attached a suggested patch for the two problems, where I tried to address this quickly by changing the asuser method so it changes the egid to the primary gid if a gid isn’t explicitly given. I’ve now realised that the change_user method is sometimes called directly so asuser is bypassed, e.g. in execute_posix (lib/puppet/util.rb).

Some more work needs to be done here to either change everything to go through asuser, or to find a way to secure direct use of change_user too. The patch is incomplete!


#1 Updated by Anonymous about 4 years ago

  • Branch set to should have the changes supplied by Dominic split apart, tests added, and ready to go against 2.6.x.

#2 Updated by Jason McKerr about 4 years ago

  • Assignee changed from Jason McKerr to Deepak Giridharagopal

#4 Updated by Matthaus Owens about 4 years ago

  • Status changed from Accepted to Closed
  • Target version set to 2.7.11
  • Private changed from Yes to No

Released in 2.6.14, 2.7.11

Also available in: Atom PDF