Description of problem:
I noticed that puppetmasterd does not initialize its supplementary groups, which may lead to allow puppetmasterd to access files, it should not. E.g. if it is started with "service puppetmaster start", it still has access to all files that allow read access for the supplementary groups of root, e.g. raw disk devices.
I filed an upstream bug report including patches (one needs still to be tested) here:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. # service puppetmaster start
2. # cat /proc/$(ps --User puppet -o pid | tail -n 1)/status | grep Group
The output matches "id -G root".
The output should match "id -G puppet", i.e. the process should run with the supplementary groups of puppet.
The default supplementary groups of root include the group disk, which e.g. provides raw read access on disk devices.
I am not sure, whether this really classifies as a security vulnerability, because https://fedoraproject.org/wiki/Security/Classifications only mentions code execution and denial of service, but imho unwanted access to restricted information is a security vulnerability, too.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Pending upcoming release, a great deal of thanks!
puppet-0.24.8-4.fc10 has been submitted as an update for Fedora 10.
puppet-0.24.8-4.el5 has been submitted as an update for Fedora EPEL 5.
puppet-0.24.8-4.fc11 has been submitted as an update for Fedora 11.
puppet-0.24.8-4.el4 has been submitted as an update for Fedora EPEL 4.
puppet-0.24.8-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
puppet-0.24.8-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
puppet-0.24.8-4.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
puppet-0.24.8-4.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
There is now a CVE number assigned for this issue, the metadata for the repositories should probably be updated. The number is: CVE-2009-3564
Re-opening as this issue also affects Red Hat Enterprise MRG 1.1.
The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
The Red Hat Security Response Team does not currently plan to fix this flaw in MRG.