SSH won't allow this, will it?
--
http://puppetlabs.com/ | +1-615-594-8199 | @puppetmasterd
On Aug 29, 2011, at 7:34 PM, Trevor Vaughan <tvaug...@onyxpoint.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We also need to have the option to have the user *not* own the file.
>
> There could be very good reasons to have root own these files.
>
> For instance, when I was at school, it was quite common for people to just
> add each other to their authorized_keys files so that things would be
> "easier".
>
> It would be very nice to be able to prevent this.
>
> Trevor
>
> On 08/29/2011 04:06 PM, Ricky Zhou wrote:
>> On 2011-08-28 08:30:04 AM, wearetherob...@puppetlabs.com wrote:
>>> In order to support use cases where an authorized_key file is written to
>>> a non-standard location, which may not be writable by the user, this patch
>>> removes the step in the flush method that switches users before writing
>>> the authorized_key file to disk. As a result, the authorized_key can now
>>> be written to any location.
>>>
>>> This patch does not change the core functionality of the
>>> ssh_authorized_key type.
>> This seems dangerous, as when the authorized_keys file is in a location
>> that is writable by the user, the user can make it a symlink to say,
>> /etc/shadow and get puppet to write to it.
>>
>> Looking at the rest of this code, there is currently a chown that occurs
>> before privileges are dropped, which looks like it might be a security
>> vulnerability:
>>
>> In the flush method in lib/puppet/provider/ssh_authorized_key/parsed.rb:
>>
>> unless File.exist?(dir = File.dirname(target))
>> Puppet.debug "Creating #{dir}"
>> Dir.mkdir(dir, dir_perm)
>> File.chown(uid, nil, dir)
>> end
>>
>> If a user manages to replace the directory with a symlink to /etc right
>> before
>> the chown call, then it will be chowned to the user (chown follows symlinks,
>> lchown does not).
>>
>> The chown and chmod commands at the end of the function are also potentially
>> dangerous, since both of these will follow symlinks. Here's a patch which
>> moves both of these into the block which is run with dropped privileges. I
>> removed the chown call entirely, as it should the file should already be
>> owned
>> by the right user when it's created.
>>
>> Thanks,
>> Ricky
>
> - --
> Trevor Vaughan
> Vice President, Onyx Point, Inc.
> email: tvaug...@onyxpoint.com
> phone: 410-541-ONYX (6699)
> pgp: 0x6C701E94
>
> - -- This account not approved for unencrypted sensitive information --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEcBAEBAgAGBQJOXEBlAAoJECNCGV1OLcypP/sIAIdbfeyvTbLTGmtqqkKJGVMw
> IH0rCKSQbuksCjLH1QH3eZ35tC7SRFlSt7KS5oQIH02WFPiGCEWh64FmT2wKjvJ7
> xlOySQKB4eIARXUNJzaDlgTzQOz/eJG1HN5vE0mSa6ZfpOQ16B34ayTlkQ5ztqu/
> m5stu71yfoDk+lStf4U4AyPZZDqlQi0I+0nw3HWNalNFyPcRBhlFXS7oif0mL/DJ
> p4065FObPr1QIKl1APK1+d8gc24wAlUIKMHQ0U4O8eb0A4IKnpCmlUyq4TO1i3V8
> U3KTyUTFve0egF+i+f27vi1W1xIRe6TTuZtNuZZaJKRERG5877Y256JdJ7IHJHs=
> =L3jo
> -----END PGP SIGNATURE-----
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Developers" group.
> To post to this group, send email to puppet-dev@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-dev+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-dev?hl=en.
>
> <tvaughan.vcf>
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
