-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We also need to have the option to have the user *not* own the file.
There could be very good reasons to have root own these files.
For instance, when I was at school, it was quite common for people to just add
each other to their authorized_keys files so that things would be "easier".
It would be very nice to be able to prevent this.
Trevor
On 08/29/2011 04:06 PM, Ricky Zhou wrote:
> On 2011-08-28 08:30:04 AM, wearetherob...@puppetlabs.com wrote:
>> In order to support use cases where an authorized_key file is written to
>> a non-standard location, which may not be writable by the user, this patch
>> removes the step in the flush method that switches users before writing
>> the authorized_key file to disk. As a result, the authorized_key can now
>> be written to any location.
>>
>> This patch does not change the core functionality of the
>> ssh_authorized_key type.
> This seems dangerous, as when the authorized_keys file is in a location
> that is writable by the user, the user can make it a symlink to say,
> /etc/shadow and get puppet to write to it.
>
> Looking at the rest of this code, there is currently a chown that occurs
> before privileges are dropped, which looks like it might be a security
> vulnerability:
>
> In the flush method in lib/puppet/provider/ssh_authorized_key/parsed.rb:
>
> unless File.exist?(dir = File.dirname(target))
> Puppet.debug "Creating #{dir}"
> Dir.mkdir(dir, dir_perm)
> File.chown(uid, nil, dir)
> end
>
> If a user manages to replace the directory with a symlink to /etc right before
> the chown call, then it will be chowned to the user (chown follows symlinks,
> lchown does not).
>
> The chown and chmod commands at the end of the function are also potentially
> dangerous, since both of these will follow symlinks. Here's a patch which
> moves both of these into the block which is run with dropped privileges. I
> removed the chown call entirely, as it should the file should already be owned
> by the right user when it's created.
>
> Thanks,
> Ricky
- --
Trevor Vaughan
Vice President, Onyx Point, Inc.
email: tvaug...@onyxpoint.com
phone: 410-541-ONYX (6699)
pgp: 0x6C701E94
- -- This account not approved for unencrypted sensitive information --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJOXEBlAAoJECNCGV1OLcypP/sIAIdbfeyvTbLTGmtqqkKJGVMw
IH0rCKSQbuksCjLH1QH3eZ35tC7SRFlSt7KS5oQIH02WFPiGCEWh64FmT2wKjvJ7
xlOySQKB4eIARXUNJzaDlgTzQOz/eJG1HN5vE0mSa6ZfpOQ16B34ayTlkQ5ztqu/
m5stu71yfoDk+lStf4U4AyPZZDqlQi0I+0nw3HWNalNFyPcRBhlFXS7oif0mL/DJ
p4065FObPr1QIKl1APK1+d8gc24wAlUIKMHQ0U4O8eb0A4IKnpCmlUyq4TO1i3V8
U3KTyUTFve0egF+i+f27vi1W1xIRe6TTuZtNuZZaJKRERG5877Y256JdJ7IHJHs=
=L3jo
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
<<attachment: tvaughan.vcf>>
