We've identified and are fixing a condition in puppet where the auto-generated
CA private key is created with too-leinent permissions. We feel the exposure is
pretty limited (it would require a local user account on the CA system, to
discover and copy/modify the CA key before additional puppet commands run) but
will be releasing patched versions which do not have the problem. I wanted to
post this publicly so users could evaluate their own site and remediate if
necessary, in advance of an upstream software release.
You could be affected if:
- you used puppet server or puppet master to automatically generate a CA
keypair and certificate and have NEVER restarted the process
- you never subsequently ran a puppet agent, cert, or other subcommands
which use the certificate subsystem, on the host with the CA keypair.
You will not be affected if:
- you run Puppet Enterprise to initialize your CA
- you have ever run 'puppet agent' or other 'puppet cert' commands as root on
the host with the keypair.
- you have ever restarted your puppet master/puppet server process. Ever.
Really.
The immediate fix is to either:
- run `puppet agent` as root on the server which has the CA key
- as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem`
A huge thank you/merci to Francois Lafont for reporting this issue.
For more details, see https://tickets.puppetlabs.com/browse/PUP-5274
Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles
