Issue #3556 has been updated by Markus Roberts. Status changed from Investigating to Accepted
---------------------------------------- Bug #3556: plusignment on multiple User's groups merges ALL their groups (security issue IMHO) http://projects.puppetlabs.com/issues/3556 Author: Anthony Caetano Status: Accepted Priority: Urgent Assigned to: Category: group Target version: Affected version: 0.25.4 Keywords: plusignment, security, group, user Branch: A simplified example: I have two virtual users, a sysadmin with wheel and sudo to root access and a pleb user. On a node I want to give both access to the additional group "wwwadm". The sysadmin has groups "wheel, users", the pleb only has "users". If I do this: User["sysadmin", "pleb"] { groups +> "wwwadm" } realize User["sysadmin", "pleb"] Then user pleb gets the "wheel" group! He then belongs to "users, wheel, wwwadm". This is unexpected (for me at least) and has created a bit of a mess as "tidying up" manifests to be more concise has granted a bunch of users in the environment very elevated privileges :-/ I would expect: User["sysadmin", "pleb"] { groups +> "wwwadm" } to be identical to: User["sysadmin"] { groups +> "wwwadm" } User["pleb"] { groups +> "wwwadm" } It isn't. The first form is positively dangerous at present. In the /var/lib/puppet/client_yaml/catalog/$fqdn.yaml for the user I can see that groups are duplicated numerous times in the above example the "users" group appears twice. Example for c&p replication: * The virtual users class class user::virtual { @user { 'sysadmin': groups => ['wheel','users'], ensure => 'present', comment => 'Test User 1', } @user { 'pleb': groups => ['users'], ensure => 'present', comment => 'Test User 2', } } **** First case (the problem) node testing { class user::testing inherits user::virtual { User["sysadmin", "pleb"] { groups +> net } realize User["sysadmin", "pleb"] } include user::testing } .yaml snippet (notice wheel is there and users is duplicated): parameters: :ensure: present :groups: - users - wheel - users - net :comment: Test User 2 :managehome: true reference: !ruby/object:Puppet::Resource::Reference builtin_type: title: pleb type: User * Second case (correct) node testing { class user::testing inherits user::virtual { User["sysadmin"] { groups +> net } User["pleb"] { groups +> net } realize User["sysadmin", "pleb"] } include user::testing } .yaml snippet (as expected): parameters: :ensure: present :groups: - users - net :comment: Test User 2 :managehome: true reference: !ruby/object:Puppet::Resource::Reference builtin_type: title: pleb type: User -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
