Issue #3556 has been reported by Anthony Caetano.
----------------------------------------
Bug #3556: plusignment on multiple User's groups merges ALL their groups
(security issue IMHO)
http://projects.puppetlabs.com/issues/3556
Author: Anthony Caetano
Status: Unreviewed
Priority: Urgent
Assigned to:
Category: group
Target version:
Affected version: 0.25.4
Keywords: plusignment, security, group, user
Branch:
A simplified example: I have two virtual users, a sysadmin with wheel and sudo
to root access and a pleb user. On a node I want to give both access to the
additional group "wwwadm". The sysadmin has groups "wheel, users", the pleb
only has "users".
If I do this:
User["sysadmin", "pleb"] { groups +> "wwwadm" }
realize User["sysadmin", "pleb"]
Then user pleb gets the "wheel" group! He then belongs to "users, wheel,
wwwadm". This is unexpected (for me at least) and has created a bit of a mess
as "tidying up" manifests to be more concise has granted a bunch of users in
the environment very elevated privileges :-/
I would expect:
User["sysadmin", "pleb"] { groups +> "wwwadm" }
to be identical to:
User["sysadmin"] { groups +> "wwwadm" }
User["pleb"] { groups +> "wwwadm" }
It isn't. The first form is positively dangerous at present.
In the /var/lib/puppet/client_yaml/catalog/$fqdn.yaml for the user I can see
that groups are duplicated numerous times in the above example the "users"
group appears twice.
Example for c&p replication:
* The virtual users class
class user::virtual {
@user { 'sysadmin':
groups => ['wheel','users'],
ensure => 'present',
comment => 'Test User 1',
}
@user { 'pleb':
groups => ['users'],
ensure => 'present',
comment => 'Test User 2',
}
}
**** First case (the problem)
node testing {
class user::testing inherits user::virtual {
User["sysadmin", "pleb"] { groups +> net }
realize User["sysadmin", "pleb"]
}
include user::testing
}
.yaml snippet (notice wheel is there and users is duplicated):
parameters:
:ensure: present
:groups:
- users
- wheel
- users
- net
:comment: Test User 2
:managehome: true
reference: !ruby/object:Puppet::Resource::Reference
builtin_type:
title: pleb
type: User
* Second case (correct)
node testing {
class user::testing inherits user::virtual {
User["sysadmin"] { groups +> net }
User["pleb"] { groups +> net }
realize User["sysadmin", "pleb"]
}
include user::testing
}
.yaml snippet (as expected):
parameters:
:ensure: present
:groups:
- users
- net
:comment: Test User 2
:managehome: true
reference: !ruby/object:Puppet::Resource::Reference
builtin_type:
title: pleb
type: User
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
