Description of problem: I noticed that puppet may create several predictable files in /tmp, e.g. /tmp/daemonout /tmp/puppetdoc.txt /tmp/puppetdoc.tex There are also a lot more in the tests, but they may not be run in Fedora's F10 spec, and even more in the puppet source, e.g. for the dmg installation provider. Version-Release number of selected component (if applicable): puppet-0.24.8-1.fc10 How reproducible: always Steps to Reproduce: 1. grep -nR /tmp/ /usr/lib/ruby/site_ruby/1.8/puppet Actual results: Contains ruby code like: /usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:33: File.open("/tmp/daemonout", "w") { |f| Expected results: Should only report findings that are not executed, e.g. in comments or help information Additional info: Current git seems to contain even more issues, e.g. lib/puppet/network/server.rb:25: File.open("/tmp/daemonout", "w") { |f|
This is an issue the file already exists, with arbitrary content and only with permissive permissions, am I right? Would it help to put these files in, say, 0750, puppet:puppet, /var/cache/puppet/, so that only the puppet user (and root) can write to these files?
(In reply to comment #1) > This is an issue the file already exists, with arbitrary content and only with > permissive permissions, am I right? I do not understand this question. But a typical attack in this case would be to create a symlink in e.g. /tmp/daemonout that points to a file that only root can write to, to manipulate the contents of this file. > Would it help to put these files in, say, 0750, puppet:puppet, > /var/cache/puppet/, so that only the puppet user (and root) can write to these > files? /tmp/daemonout should probably be in /var/log or some puppet log file should be used instead imho. For the puppetdoc and test files the Tempfile class in ruby should be used to generate securely temporary files or maybe a temporary directory within /tmp. The class Tempfile is already used in other locations in puppet.
(In reply to comment #2) > (In reply to comment #1) > > This is an issue the file already exists, with arbitrary content and only with > > permissive permissions, am I right? > > I do not understand this question. But a typical attack in this case would be > to create a symlink in e.g. /tmp/daemonout that points to a file that only root > can write to, to manipulate the contents of this file. > A file in /tmp/ is not just readable, writeable or executable to just anyone just because it is in /tmp/. The same file system permissions apply to files and directories created in /tmp/ as do they anywhere else. The only difference with /tmp/ is that anyone can create files there, and anyone can list the directories content; With umask, files created in /tmp/ would not even be group-readable or writeable: == Every 1.0s: find /tmp/ -name *puppet* -exec ls -lh {} \; Thu Aug 13 00:12:39 2009 -rw-------. 1 root root 0 2009-08-13 00:12 ./puppet.15122.0 == I fail to see how this is a security problem, unless the file is created with extraneous permissions before the puppet daemon creates the file itself. If you can explain or give me some reference I'll be happy to read up ;-)
(In reply to comment #3) > (In reply to comment #2) > > (In reply to comment #1) > > > This is an issue the file already exists, with arbitrary content and only with > > > permissive permissions, am I right? > > > > I do not understand this question. But a typical attack in this case would be > > to create a symlink in e.g. /tmp/daemonout that points to a file that only root > > can write to, to manipulate the contents of this file. > > > > A file in /tmp/ is not just readable, writeable or executable to just anyone > just because it is in /tmp/. The same file system permissions apply to files > and directories created in /tmp/ as do they anywhere else. The only difference > with /tmp/ is that anyone can create files there, and anyone can list the > directories content; > I fail to see how this is a security problem, unless the file is created with > extraneous permissions before the puppet daemon creates the file itself. Here are some step by step instructions, that hopefull help to understand the problem: 1) backup your /etc/shadow file, e.g. with cp /etc/shadow /root/shadow.puppet-backup 2) As a non root user run: ln -s /etc/shadow /tmp/puppet.tex 3) As root run: puppetdoc -m pdf 4) notice that /etc/shadow has been overwritten with latex code: less /etc/shadow 5) restore /etc/shadow: cp /root/shadow.puppet-backup /etc/shadow > If you can explain or give me some reference I'll be happy to read up ;-) http://capec.mitre.org/data/definitions/27.html
So, a form of understanding is in my brain now... Would the solution be to not use /tmp/, but some directory non-root users cannot just write to (cannot create symbolic links to other files in)? I'd suggest: puppet:puppet drwxr-x--- /var/run/puppet or something similar?
(In reply to comment #5) > So, a form of understanding is in my brain now... > > Would the solution be to not use /tmp/, but some directory non-root users > cannot just write to (cannot create symbolic links to other files in)? > > I'd suggest: > > puppet:puppet drwxr-x--- /var/run/puppet > > or something similar? Basically I already answerded this in comment:2, but I can also provide more details if needed: /tmp/daemonout is a logfile and should got to /var/log, the other files should be created using the ruby tempfile class[0] or using a temporary directory, e.g. for the pdf creation there are iirc also some other helper files created with the same basename, e.g. instead of /tmp/puppetdoc.tex /tmp/puppetdoc.aux can probably also be used. [0] http://www.ruby-doc.org/stdlib/libdoc/tempfile/rdoc/index.html
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
reproduced exploit from comment:4 with /tmp/puppetdoc.tex in step 2 with puppet-0.24.8-4.fc12
add co-maintainer Todd M. Zullinger to CC list
We're happy to have these propagated upstream - we're currently looking at a broader fix than just these files. For the moment happy to have you add me as a CC to any tickets such as these.
This is the fix we're proposing: http://github.com/MarkusQ/puppet/commit/0e9db34ba0afe0ea0bee3afd005a011e3099d055 Can you please test and provide feedback? Thanks
This looks fine to me, although I wonder what mysterious side-effects one could trigger now that the file (symlink) is being deleted, and Puppet awaits re-creation and then fails. I guess it needs to, since the file may also be a Puppet file created during a previous (aborted?) run...
James, thanks to you and Markus for the quick work. I tested a little on CentOS 5 and Fedora 10 (I'm travelling and don't have handy access to an F-12 box with 0.25.x right now). I only tested puppetdoc, and noted that while the patch from Markus prevents the tmp file problem, it does result in a traceback rather than a simple warning as I think is intended: [root@localhost ~]# echo 'Secret root stuff' > /etc/test [root@localhost ~]# chmod 400 /etc/test [user@localhost ~]$ ln -sv /etc/test /tmp/puppetdoc.tex [root@localhost ~]# puppetdoc -m pdf creating pdf /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:411:in `secure_open': private method `warn' called for Puppet:Module (NoMethodError) from /usr/lib/ruby/site_ruby/1.8/puppet/util/reference.rb:51:in `pdf' from /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetdoc.rb:160:in `other' from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send' from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command' from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run' from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in `exit_on_fail' from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run' from /usr/bin/puppetdoc:65 I'm not sure how to quickly test the other code paths and I don't have as much time as I'd like to look into it. But I will try and test anything if you or Markus have suggestions.
Todd - we'll do some more testing and get back to you.
Try the updated fix in that same branch.
James, no traceback with the typo fixed. I didn't get any warning when running puppetdoc, though it did do what it is intended -- deleted the symlink and created it as a regular file. If it's supposed to log or print a warning, let me know and I'll test or look further.
I just got an CVE number for this issue: CVE-2010-0156
Okay we've merged the branch and released 0.25.2 with the fix in it.
We also back-ported the patch to 0.24.x and created a new 0.24.x release numbered 0.24.9. I'll announce that shortly.
I've built and submitted puppet-0.25.2 for Fedora and EPEL branches. It's marked as a security update and submitted for updates-testing, as we'd like to get at least a little bit of testing to ensure there aren't any big problems hiding in the update. Thanks to James and Markus for quickly working to implement a fix and get it into 0.25.2 in the 11th hour. Someday I hope to repay you with inebriating beverages of your choice. :)
puppet-0.25.2-1.fc12.1 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0251
puppet-0.25.2-1.fc11.1 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0254
puppet-0.25.2-1.el5.1 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2010-0031
puppet-0.25.3-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2010-0054
puppet-0.25.3-1.el4 has been pushed to the Fedora EPEL 4 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2010-0046
puppet-0.25.3-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0492
puppet-0.25.3-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0523
puppet-0.25.3-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/puppet-0.25.3-2.fc11
puppet-0.25.3-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/puppet-0.25.3-2.fc12
puppet-0.25.3-2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/puppet-0.25.3-2.el5
puppet-0.25.3-2.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/puppet-0.25.3-2.el4
puppet-0.25.3-2.el4 has been pushed to the Fedora EPEL 4 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2010-0095
puppet-0.25.3-2.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2010-0097
puppet-0.25.3-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0834
puppet-0.25.3-2.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0865
puppet-0.25.4-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/puppet-0.25.4-1.el5
puppet-0.25.4-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/puppet-0.25.4-1.fc11
puppet-0.25.4-1.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/puppet-0.25.4-1.el4
puppet-0.25.4-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/puppet-0.25.4-1.fc12
puppet-0.25.4-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1336
puppet-0.25.4-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1347
puppet-0.25.4-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-5/FEDORA-EPEL-2010-0154
puppet-0.25.4-1.el4 has been pushed to the Fedora EPEL 4 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update puppet'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/EL-4/FEDORA-EPEL-2010-0163
puppet-0.25.4-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
puppet-0.25.4-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
puppet-0.25.4-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
puppet-0.25.4-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.