-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We also need to have the option to have the user *not* own the file.
There could be very good reasons to have root own these files. For instance, when I was at school, it was quite common for people to just add each other to their authorized_keys files so that things would be "easier". It would be very nice to be able to prevent this. Trevor On 08/29/2011 04:06 PM, Ricky Zhou wrote: > On 2011-08-28 08:30:04 AM, wearetherob...@puppetlabs.com wrote: >> In order to support use cases where an authorized_key file is written to >> a non-standard location, which may not be writable by the user, this patch >> removes the step in the flush method that switches users before writing >> the authorized_key file to disk. As a result, the authorized_key can now >> be written to any location. >> >> This patch does not change the core functionality of the >> ssh_authorized_key type. > This seems dangerous, as when the authorized_keys file is in a location > that is writable by the user, the user can make it a symlink to say, > /etc/shadow and get puppet to write to it. > > Looking at the rest of this code, there is currently a chown that occurs > before privileges are dropped, which looks like it might be a security > vulnerability: > > In the flush method in lib/puppet/provider/ssh_authorized_key/parsed.rb: > > unless File.exist?(dir = File.dirname(target)) > Puppet.debug "Creating #{dir}" > Dir.mkdir(dir, dir_perm) > File.chown(uid, nil, dir) > end > > If a user manages to replace the directory with a symlink to /etc right before > the chown call, then it will be chowned to the user (chown follows symlinks, > lchown does not). > > The chown and chmod commands at the end of the function are also potentially > dangerous, since both of these will follow symlinks. Here's a patch which > moves both of these into the block which is run with dropped privileges. I > removed the chown call entirely, as it should the file should already be owned > by the right user when it's created. > > Thanks, > Ricky - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJOXEBlAAoJECNCGV1OLcypP/sIAIdbfeyvTbLTGmtqqkKJGVMw IH0rCKSQbuksCjLH1QH3eZ35tC7SRFlSt7KS5oQIH02WFPiGCEWh64FmT2wKjvJ7 xlOySQKB4eIARXUNJzaDlgTzQOz/eJG1HN5vE0mSa6ZfpOQ16B34ayTlkQ5ztqu/ m5stu71yfoDk+lStf4U4AyPZZDqlQi0I+0nw3HWNalNFyPcRBhlFXS7oif0mL/DJ p4065FObPr1QIKl1APK1+d8gc24wAlUIKMHQ0U4O8eb0A4IKnpCmlUyq4TO1i3V8 U3KTyUTFve0egF+i+f27vi1W1xIRe6TTuZtNuZZaJKRERG5877Y256JdJ7IHJHs= =L3jo -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
<<attachment: tvaughan.vcf>>