Your message dated Thu, 12 Mar 2015 10:49:04 +0000
with message-id <e1yw0fo-0007b4...@franck.debian.org>
and subject line Bug#778891: fixed in puppet 3.7.2-3
has caused the Debian Bug report #778891,
regarding puppet: systemd unit file does not load environment from
/etc/default/puppet - breaks upgrades
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
778891: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778891
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: puppet
Version: 3.7.2-2
Severity: grave
Tags: patch security
Justification: user security hole
Hi,
During an upgrade from wheezy to jessie, puppet was upgraded to 3.7.2 and
systemd
became the default init system.
In our environment, our puppet master is not called "puppet" and we override
this
setting using the DAEMON_OPTS variable in /etc/default/puppet:
DAEMON_OPTS="--server our-puppet-master.ourdomain.tld"
The wheezy (and jessie) init script supports this, but the systemd unit file
for
puppet does not read this environment file and defaults back to the "puppet" DNS
name for puppet masters.
The fix for this is simple and a patch for the systemd unit file is attached:
the unit file should have an EnvironmentFile statement to load the environment
from /etc/default/puppet (if it exists).
The patch only brings back support for the DAEMON_OPTS option, and not for the
variable to prevent startup.
I've flagged this as security as an upgrade from wheezy to jessie could open a
system to a puppet server controlled by someone else. In case the puppet client
did not yet have signed certificate it could be signed by the "puppet" puppet
master, which could then execute arbitrary actions on the system.
I did not check if the postinst script only enables the systemd unit when the
START variable in /etc/default/puppet is set to "yes". If it doesn't, the
puppet service will be started on upgrades to jessie (and systemd), even if it
was disabled before. It would also introduce the problem above by contacting
the wrong puppet master.
Regards,
Rik
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages puppet depends on:
ii init-system-helpers 1.22
ii puppet-common 3.7.2-2
ii ruby 1:2.1.0.4
ii ruby2.1 [ruby-interpreter] 2.1.5-1
puppet recommends no packages.
Versions of packages puppet suggests:
pn etckeeper <none>
pn puppet-el <none>
pn vim-puppet <none>
-- Configuration Files:
/etc/default/puppet e3a89dd703e6b796ef7889ba75af2df7 [Errno 2] No such file or
directory: u'/etc/default/puppet e3a89dd703e6b796ef7889ba75af2df7'
/etc/logrotate.d/puppet 037c34a239a8895833388ccfce278adc [Errno 2] No such file
or directory: u'/etc/logrotate.d/puppet 037c34a239a8895833388ccfce278adc'
-- no debconf information
--- puppet.service.orig 2015-02-21 12:05:48.260000000 +0100
+++ puppet.service 2015-02-21 12:06:07.376000000 +0100
@@ -4,7 +4,8 @@
[Service]
Type=forking
PIDFile=/run/puppet/agent.pid
-ExecStart=/usr/bin/puppet agent
+EnvironmentFile=-/etc/default/puppet
+ExecStart=/usr/bin/puppet agent $DAEMON_OPTS
[Install]
WantedBy=multi-user.target
--- End Message ---
--- Begin Message ---
Source: puppet
Source-Version: 3.7.2-3
We believe that the bug you reported is fixed in the latest version of
puppet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 778...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <apoi...@debian.org> (supplier of updated puppet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 10 Mar 2015 14:33:45 +0200
Source: puppet
Binary: puppet-common puppet puppetmaster-common puppetmaster
puppetmaster-passenger vim-puppet puppet-el puppet-testsuite
Architecture: source all
Version: 3.7.2-3
Distribution: unstable
Urgency: medium
Maintainer: Puppet Package Maintainers
<pkg-puppet-de...@lists.alioth.debian.org>
Changed-By: Apollon Oikonomopoulos <apoi...@debian.org>
Description:
puppet - configuration management system, agent
puppet-common - configuration management system
puppet-el - syntax highlighting for puppet manifests in emacs
puppet-testsuite - configuration management system, development test suite
puppetmaster - configuration management system, master service
puppetmaster-common - configuration management system, master common files
puppetmaster-passenger - configuration management system, scalable master
service
vim-puppet - syntax highlighting for puppet manifests in vim
Closes: 774643 775795 778891
Changes:
puppet (3.7.2-3) unstable; urgency=medium
.
[ Apollon Oikonomopoulos ]
* Team upload.
* Fix service enable/disable in the Debian service provider (Closes: #775795)
* Fix stored configs with ActiveRecord 4.x (Closes: #774643)
+ puppetmaster-common: add Recommends for stored configs
+ Mention stored configs dependencies in README.Debian. Also add a
note for the deprecation of AR-based stored configs.
* Preserve and honor changes in /etc/default/puppet (Closes: #778891)
+ Do not remove /etc/default/puppet on upgrade
+ Disable the agent when upgrading and START != yes
+ puppet.service: pass $DAEMON_OPTS to puppet agent. Thanks to Rik Theys!
+ Add a NEWS note about the START flag
.
[ Stig Sandbeck Mathisen ]
* Add upstream metadata
Checksums-Sha1:
af8de0aa810bc573b0d81a3943861126f8c02d7d 2505 puppet_3.7.2-3.dsc
29832d3c21768bde28bedc4a0116da059ac5a562 42964 puppet_3.7.2-3.debian.tar.xz
f93eb13077f53ec3c560419c96dac5dfccac5c50 1010188 puppet-common_3.7.2-3_all.deb
f21c7bb9819337776de34cd0df10bce115402403 25650 puppet_3.7.2-3_all.deb
bb4856f15d1eca2f19bc43518cd269c568a471b6 26182
puppetmaster-common_3.7.2-3_all.deb
49e1e26799f6fe4b48c6e812c7d912ffe08c2f92 24994 puppetmaster_3.7.2-3_all.deb
fde9693717e39fba19d9d80c573e2a1530cc6ee7 25802
puppetmaster-passenger_3.7.2-3_all.deb
22f74511d9acf36f14a276739c4b3dd2756b6316 26006 vim-puppet_3.7.2-3_all.deb
ae705ffd13a428e829a554db97d8f40571246a87 27446 puppet-el_3.7.2-3_all.deb
c19e89c5622f564354de80af83a3e83fabed3fcb 804368
puppet-testsuite_3.7.2-3_all.deb
Checksums-Sha256:
51d4d5483e01bd6646d8bc182bdb12ca771eb92b0cc82b86ba97b10fe7f2b4b0 2505
puppet_3.7.2-3.dsc
6c326ca4a26fa643b79bb39602b9230691a2dbaf21bcb729f0117bb34ab4c40d 42964
puppet_3.7.2-3.debian.tar.xz
59d43db2d2afd1944f7aaecaef252c1a814fdc011f05bacf30b891cdbf544564 1010188
puppet-common_3.7.2-3_all.deb
e6d3cb54545236a9caa08dcb9bc95df1303ba97a0cab75fd21b23b504d305722 25650
puppet_3.7.2-3_all.deb
c2c97f45890b7aa6216e58f00b6961229afe6cb5579744d9931264ffe6af7e22 26182
puppetmaster-common_3.7.2-3_all.deb
54e77c87b562f8051993a6dab33ed6c643ea1cb123f09787a250d6a8223fc75f 24994
puppetmaster_3.7.2-3_all.deb
2d4be5e46d094715fc613b99ece0fb6519be4f01a2760d5426d0e7e38bb7b053 25802
puppetmaster-passenger_3.7.2-3_all.deb
0c921449229539d32648c05964f1bf37cbf89e37d9605c165d973b7d72884678 26006
vim-puppet_3.7.2-3_all.deb
2932fce6ba83ce76db5f2fa3609c6fd6e33f8e95421287415b7e9a548edd8d3e 27446
puppet-el_3.7.2-3_all.deb
34ecd539c828ff7699cf0d11b338ef9d3e719d68d585e1e90a8c17b44014cc6f 804368
puppet-testsuite_3.7.2-3_all.deb
Files:
f33ab37a09e2cfac42ff2190228ec48d 2505 admin optional puppet_3.7.2-3.dsc
be9f83528e5d83ab2bbf22a827fcdbea 42964 admin optional
puppet_3.7.2-3.debian.tar.xz
ea989f855c22aaf56f8e9862bc441954 1010188 admin optional
puppet-common_3.7.2-3_all.deb
eb90733f88b84a6b51c8a9d9c29beb98 25650 admin optional puppet_3.7.2-3_all.deb
6181f6f3e73290d9f8402c5e2097148d 26182 admin optional
puppetmaster-common_3.7.2-3_all.deb
c17842eeb9c08222d52799560f90d110 24994 admin optional
puppetmaster_3.7.2-3_all.deb
24597a8c9b797a792acdafb27ed3462e 25802 admin optional
puppetmaster-passenger_3.7.2-3_all.deb
a8adbf2b4706c49d5812e30961a1e2e7 26006 admin optional
vim-puppet_3.7.2-3_all.deb
0e7e4fe6a27a68099dc6e6bd79c143fe 27446 admin optional puppet-el_3.7.2-3_all.deb
80aef10d1aa3874ccf2442d88af208d7 804368 admin optional
puppet-testsuite_3.7.2-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVAWElAAoJEHLTQsHpUUMGpGIP/3KdM6mwVcwh/xzzrBKtyGez
yjiqYrmGd1p9GmMAOXjbyzP163Qvn2m3yNhDqvKzetmVWs6X+kNWqOH/24hWgPug
4ib4dVreE8ioBgnEe+nY01JLMcNWYgZyIfNS6nUQrPlDcY2GY9SPTcHF0OMlC28Q
KN1bNcy1YJSrRRKGkVFaxqZuRFqZ4Zzu7yLXIq481UAdUSDp9TA9dTRkdzs6ApGU
2rjD8qWudkesbmgl1/biUlq10KSQi2r/gzwxvg+2ZxQ/8DLBeFch1fiae9C32w9X
96vN221wBlcbOBhC9BqvgThmHk/AYNmXu4bgKFmLA0iHy2/GMpMsdC+saReXpHXs
kcrTlJKgBsHtVGMlOBzawyS8i4F+87pH1MlRuVTp7bCJA6FwJyrQ2d2wO53vDBSo
VBERKFoGJt7TKHrluMMwt1PuTyF4wvXA5JeIRs85r0pV1nn5ccunScjcGEL3x85C
7kjOiJ6ErkEPxe/NE2CDvqUu3fLdByZD+w3uzLiK6p7sihhnsOmjDCvzblh8HpVm
baansFVQuYvKuOb3GmbK/d3KXw7/NK1UbLtJ8hrhNe7N2yl+f5wz+zl1/28Bo7gI
U81+ZwbGzxwShFpI11s2Ltyc6bjacRuI5fj0qsUXwCvxlmeOcjThIzfFzt4H9Bbk
WinjM1qXY2E3mHv0uqKk
=P8W4
-----END PGP SIGNATURE-----
--- End Message ---
