Issue #3556 has been updated by Markus Roberts.
Here's probably the simplest fix, if anybody wants to do a hot-patch test.
I'll be working up a full patch with tests, etc. later today.
<pre>
diff --git a/lib/puppet/parser/resource.rb b/lib/puppet/parser/resource.rb
index 651ed42..edf59c5 100644
--- a/lib/puppet/parser/resource.rb
+++ b/lib/puppet/parser/resource.rb
@@ -377,9 +377,13 @@ class Puppet::Parser::Resource
# If we've gotten this far, we're allowed to override.
- # Merge with previous value, if the parameter was generated with the
+> syntax.
- # It's important that we use the new param instance here, not the old
one,
- # so that the source is registered correctly for later overrides.
+ # Merge with previous value, if the parameter was generated with the
+>
+ # syntax. It's important that we use a copy of the new param instance
+ # here, not the old one, and not the original new one, so that the
source
+ # is registered correctly for later overrides but the values aren't
+ # implcitly shared when multiple resources are overrriden at once (see
+ # ticket #3556).
+ param = param.dup
param.value = [current.value, param.value].flatten if param.add
set_parameter(param)
<pre>
----------------------------------------
Bug #3556: plusignment on multiple User's groups merges ALL their groups
(security issue IMHO)
http://projects.puppetlabs.com/issues/3556
Author: Anthony Caetano
Status: Accepted
Priority: Urgent
Assigned to:
Category: group
Target version:
Affected version: 0.25.4
Keywords: plusignment, security, group, user
Branch:
A simplified example: I have two virtual users, a sysadmin with wheel and sudo
to root access and a pleb user. On a node I want to give both access to the
additional group "wwwadm". The sysadmin has groups "wheel, users", the pleb
only has "users".
If I do this:
User["sysadmin", "pleb"] { groups +> "wwwadm" }
realize User["sysadmin", "pleb"]
Then user pleb gets the "wheel" group! He then belongs to "users, wheel,
wwwadm". This is unexpected (for me at least) and has created a bit of a mess
as "tidying up" manifests to be more concise has granted a bunch of users in
the environment very elevated privileges :-/
I would expect:
User["sysadmin", "pleb"] { groups +> "wwwadm" }
to be identical to:
User["sysadmin"] { groups +> "wwwadm" }
User["pleb"] { groups +> "wwwadm" }
It isn't. The first form is positively dangerous at present.
In the /var/lib/puppet/client_yaml/catalog/$fqdn.yaml for the user I can see
that groups are duplicated numerous times in the above example the "users"
group appears twice.
Example for c&p replication:
* The virtual users class
class user::virtual {
@user { 'sysadmin':
groups => ['wheel','users'],
ensure => 'present',
comment => 'Test User 1',
}
@user { 'pleb':
groups => ['users'],
ensure => 'present',
comment => 'Test User 2',
}
}
**** First case (the problem)
node testing {
class user::testing inherits user::virtual {
User["sysadmin", "pleb"] { groups +> net }
realize User["sysadmin", "pleb"]
}
include user::testing
}
.yaml snippet (notice wheel is there and users is duplicated):
parameters:
:ensure: present
:groups:
- users
- wheel
- users
- net
:comment: Test User 2
:managehome: true
reference: !ruby/object:Puppet::Resource::Reference
builtin_type:
title: pleb
type: User
* Second case (correct)
node testing {
class user::testing inherits user::virtual {
User["sysadmin"] { groups +> net }
User["pleb"] { groups +> net }
realize User["sysadmin", "pleb"]
}
include user::testing
}
.yaml snippet (as expected):
parameters:
:ensure: present
:groups:
- users
- net
:comment: Test User 2
:managehome: true
reference: !ruby/object:Puppet::Resource::Reference
builtin_type:
title: pleb
type: User
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
