SSH won't allow this, will it? -- http://puppetlabs.com/ | +1-615-594-8199 | @puppetmasterd
On Aug 29, 2011, at 7:34 PM, Trevor Vaughan <tvaug...@onyxpoint.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > We also need to have the option to have the user *not* own the file. > > There could be very good reasons to have root own these files. > > For instance, when I was at school, it was quite common for people to just > add each other to their authorized_keys files so that things would be > "easier". > > It would be very nice to be able to prevent this. > > Trevor > > On 08/29/2011 04:06 PM, Ricky Zhou wrote: >> On 2011-08-28 08:30:04 AM, wearetherob...@puppetlabs.com wrote: >>> In order to support use cases where an authorized_key file is written to >>> a non-standard location, which may not be writable by the user, this patch >>> removes the step in the flush method that switches users before writing >>> the authorized_key file to disk. As a result, the authorized_key can now >>> be written to any location. >>> >>> This patch does not change the core functionality of the >>> ssh_authorized_key type. >> This seems dangerous, as when the authorized_keys file is in a location >> that is writable by the user, the user can make it a symlink to say, >> /etc/shadow and get puppet to write to it. >> >> Looking at the rest of this code, there is currently a chown that occurs >> before privileges are dropped, which looks like it might be a security >> vulnerability: >> >> In the flush method in lib/puppet/provider/ssh_authorized_key/parsed.rb: >> >> unless File.exist?(dir = File.dirname(target)) >> Puppet.debug "Creating #{dir}" >> Dir.mkdir(dir, dir_perm) >> File.chown(uid, nil, dir) >> end >> >> If a user manages to replace the directory with a symlink to /etc right >> before >> the chown call, then it will be chowned to the user (chown follows symlinks, >> lchown does not). >> >> The chown and chmod commands at the end of the function are also potentially >> dangerous, since both of these will follow symlinks. Here's a patch which >> moves both of these into the block which is run with dropped privileges. I >> removed the chown call entirely, as it should the file should already be >> owned >> by the right user when it's created. >> >> Thanks, >> Ricky > > - -- > Trevor Vaughan > Vice President, Onyx Point, Inc. > email: tvaug...@onyxpoint.com > phone: 410-541-ONYX (6699) > pgp: 0x6C701E94 > > - -- This account not approved for unencrypted sensitive information -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEcBAEBAgAGBQJOXEBlAAoJECNCGV1OLcypP/sIAIdbfeyvTbLTGmtqqkKJGVMw > IH0rCKSQbuksCjLH1QH3eZ35tC7SRFlSt7KS5oQIH02WFPiGCEWh64FmT2wKjvJ7 > xlOySQKB4eIARXUNJzaDlgTzQOz/eJG1HN5vE0mSa6ZfpOQ16B34ayTlkQ5ztqu/ > m5stu71yfoDk+lStf4U4AyPZZDqlQi0I+0nw3HWNalNFyPcRBhlFXS7oif0mL/DJ > p4065FObPr1QIKl1APK1+d8gc24wAlUIKMHQ0U4O8eb0A4IKnpCmlUyq4TO1i3V8 > U3KTyUTFve0egF+i+f27vi1W1xIRe6TTuZtNuZZaJKRERG5877Y256JdJ7IHJHs= > =L3jo > -----END PGP SIGNATURE----- > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to puppet-dev@googlegroups.com. > To unsubscribe from this group, send email to > puppet-dev+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > <tvaughan.vcf> -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.