Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-3328 tidy should follow symlinks Change By: Moses Mendoza Labels: needs_decision triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Cosmin Lehene assigned an issue to Cosmin Lehene Closing. I too think this can be problematic. I don't think these safety concerns are directly relevant. If a malicious user can create something in `/tmp` the box would likely be screwed already. Also puppet paths shouldn't have manual random links, etc. However, I think the fact that create / tidy operations together are not idempotent is problematic. I.e. if a link is created somewhere it should be only the link that's deleted. The potential dangerous aspects are IMO when a recipe is modified and re-run. Puppet / PUP-3328 tidy should follow symlinks Change By: Cosmin Lehene Resolution: Won't Fix Assignee: Cosmin Lehene Status: Accepted Closed Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Adrien Thebo updated an issue Puppet / PUP-3328 tidy should follow symlinks Change By: Adrien Thebo Labels: needs_decision triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Adrien Thebo updated an issue Puppet / PUP-3328 tidy should follow symlinks Change By: Adrien Thebo Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Adrien Thebo commented on PUP-3328 Re: tidy should follow symlinks I think this could be incredibly dangerous. If tidy is being used to clean up /tmp and a hostile user creates /tmp/evil linked to /etc, following the symlink will cause Puppet to wipe /etc and destroy the host. If we make the links parameter tunable people could opt into this dangerous behavior, but I really don't like this. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Josh Cooper updated an issue Puppet / PUP-3328 tidy should follow symlinks Change By: Josh Cooper Fix Version/s: PUP 4.y Fix Version/s: PUP 5.y Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Branan Riley assigned an issue to Unassigned Puppet / PUP-3328 tidy should follow symlinks Change By: Branan Riley Assignee: Michael Smith Add Comment This message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Hailee Kenney assigned an issue to Michael Smith Puppet / PUP-3328 tidy should follow symlinks Change By: Hailee Kenney Assignee: Cosmin Lehene Michael Smith Add Comment This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Cosmin Lehene commented on PUP-3328 Re: tidy should follow symlinks Here's the PR with the current patch rebased to master: https://github.com/puppetlabs/puppet/pull/4084 Christopher Barbour this is worth discussing. I'm not sure that I'll get back to this very soon, though and that change would require resource changes, documentation, etc. Add Comment This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Henrik Lindberg updated an issue Puppet / PUP-3328 tidy should follow symlinks Change By: Henrik Lindberg Scrum Team: Client Platform Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Christopher Barbour commented on PUP-3328 Re: tidy should follow symlinks If this is added, it needs to be configurable. Otherwise, it would be pretty trivial for a malicious user to purge arbitrary data from the filesystem using this feature. Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Eric Sorenson commented on PUP-3328 Re: tidy should follow symlinks Cosmin Lehene I've put this ticket into "Needs Information" and assigned it to you – please submit a PR with the above patch, link it to the ticket, and mark this ticket "Ready for Engineering" when you've got it posted. Thanks for the contribution! Add Comment This message was sent by Atlassian JIRA (v6.3.7#6337-sha1:2ed701e) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Eric Sorenson updated an issue Puppet / PUP-3328 tidy should follow symlinks Change By: Eric Sorenson Fix Version/s: PUP 4.0.0 Fix Version/s: PUP 4.x Add Comment This message was sent by Atlassian JIRA (v6.3.7#6337-sha1:2ed701e) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title
Cosmin Lehene commented on an issue
Re: tidy should follow symlinks
Andy Parker Thanks! I'll rebase and make a PR.
Add Comment
Puppet / PUP-3328
tidy should follow symlinks
tidy uses Fileset which will use either stat or lstat ([see code | https://github.com/puppetlabs/puppet/blob/master/lib/puppet/file_serving/fileset.rb#L80]) depending on {{:links => :manage | :follow}} and defaults to {{:manage }} ([see code | https://github.com/puppetlabs/puppet/blob/master/lib/puppet/file_serving/fileset.rb#L40]) As tidy doesn't exp...
This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title
Andy Parker commented on an issue
Re: tidy should follow symlinks
I've retargeted at 4.0 since this isn't a regression in 3.7.
Cosmin Lehene, thanks for putting in the work on this. Please submit the changes as a PR on github, that is how we track code contributions.
Add Comment
Puppet / PUP-3328
tidy should follow symlinks
tidy uses Fileset which will use either stat or lstat ([see code | https://github.com/puppetlabs/puppet/blob/master/lib/puppet/file_serving/fileset.rb#L80]) depending on {{:links => :manage | :follow}} and defaults to {{:manage }} ([see code | https://github.com/puppetlabs/puppet/blob/master/lib/puppet/file_serving/fileset.rb#L40]) As tidy doesn't exp...
This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs.
For more
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Andy Parker updated an issue Puppet / PUP-3328 tidy should follow symlinks Change By: Andy Parker Fix Version/s: 3.7.2 Fix Version/s: 4.0.0 Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Andy Parker updated an issue Puppet / PUP-3328 tidy should follow symlinks Change By: Andy Parker Issue Type: Bug Improvement Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title
Cosmin Lehene commented on an issue
Re: tidy should follow symlinks
Updated description. It doesn't work when having the symlink with a trailing slash either (I saw local change artefact) as Filset's initialize chomps it (here )
Add Comment
Puppet / PUP-3328
tidy should follow symlinks
tidy uses Fileset which will use either stat or lstat ([see code | https://github.com/puppetlabs/puppet/blob/master/lib/puppet/file_serving/fileset.rb#L80]) depending on {{:links => :manage | :follow}} and defaults to {{:manage }} ([see code | https://github.com/puppetlabs/puppet/blob/master/lib/puppet/file_serving/fileset.rb#L40]) As tidy doesn't exp...
This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title
Cosmin Lehene updated an issue
Puppet / PUP-3328
tidy should follow symlinks
Change By:
Cosmin Lehene
tidy uses Fileset which will use either stat or lstat ([see code | https://github.com/puppetlabs/puppet/blob/master/lib/puppet/file_serving/fileset.rb#L80]) depending on{{:links => :manage | :follow}} and defaults to {{:manage }} ([see code | https://github.com/puppetlabs/puppet/blob/master/lib/puppet/file_serving/fileset.rb#L40])As tidy doesn't explicitly set {{:follow}} the results may vary if the target dir is a symlink. For example, if trying to tidy {{/etc/init.d}} which is a symlink to {{/etc/rc./d/init.d}} on CentOS 6/7 it won't work. -- However tidying {{/etc/init.d/}} (trailing slash) will work . Again this is consistent with how stat/lstat works {noformat}[root@localhost puppet]# stat /etc/init.d/ File: ‘/etc/init.d/’ Size: 4096 Blocks: 8 IO Block: 4096 directoryDevice: fd01h/64769d Inode: 75105 Links: 2Access: (0755/drwxr - xr - x) Uid: (0/root) Gid: (0/root)Access: 2014-09-23 05:22:27 . 351955472 +0900 Modify: 2014-09-17 03:34:15.521690654 +0900 Change: 2014-09-17 03:34:15.521690654 +0900 Birth: -[root@localhost puppet]# stat /etc/init.d File: ‘/etc/init.d’ -> ‘rc.d/init.d’ Size: 11 Blocks: 0 IO Block: 4096 symbolic linkDevice: fd01h/64769d Inode: 67139111Links: 1Access: (0777/lrwxrwxrwx) Uid: (0/root) Gid: (0/root)Access: 2014-09-23 02:08:38.295890037 +0900Modify: 2014-08-18 02:53:43.335191310 +0900Change: 2014-08-18 02:53:43.335191310 +0900 Birth: -[root@localhost puppet]# stat -L /etc/init.d File: ‘/etc/init.d’ Size: 4096 Blocks: 8 IO Block: 4096 directoryDevice: fd01h/64769d Inode: 75105 Links: 2Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root)Access: 2014-09-23 05:22:27.351955472 +0900Modify: 2014-09-17 03:34:15.521690654 +0900Change: 2014-09-17 03:34:15.521690654 +0900 Birth: -{noformat} Instead tidy should explicitly set {{:links => :follow}} or at least have it configurable (or both).
Add Comment
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title Cosmin Lehene updated an issue Puppet / PUP-3328 tidy should follow symlinks Attached patch. Note that I tested this change (in tidy) directly on a VM. I added a test, but was unable (yet) to run the test locally (hints are welcome). Change By: Cosmin Lehene Attachment: 0001-PUP-3328-tidy-should-follow-symlinks.patch Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title
Cosmin Lehene updated an issue
Puppet / PUP-3328
tidy should follow symlinks
Change By:
Cosmin Lehene
tidy uses Fileset which will use either stat or lstat ([see code | https://github.com/puppetlabs/puppet/blob/master/lib/puppet/file_serving/fileset.rb#L80]) depending on{{:links => :manage | :follow}} and defaults to {{:manage }}([see code | https://github.com/puppetlabs/puppet/blob/master/lib/puppet/file_serving/fileset.rb#L40])As tidy doesn't explicitly set {{:follow}} the results may vary if the target dir is a symlink. For example, if trying to tidy {{/etc/init.d}} which is a symlink to {{/etc/rc./d/init.d}} on CentOS 6/7 it won't work. However tidying {{/etc/init.d/}} (trailing slash) will work. Again this is consistent with how stat/lstat works {noformat}[root@localhost puppet]# stat /etc/init.d/ File: ‘/etc/init.d/’ Size: 4096 Blocks: 8 IO Block: 4096 directoryDevice: fd01h/64769d Inode: 75105 Links: 2Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root)Access: 2014-09-23 05:22:27.351955472 +0900Modify: 2014-09-17 03:34:15.521690654 +0900Change: 2014-09-17 03:34:15.521690654 +0900 Birth: -[root@localhost puppet]# stat /etc/init.d File: ‘/etc/init.d’ -> ‘rc.d/init.d’ Size: 11 Blocks: 0 IO Block: 4096 symbolic linkDevice: fd01h/64769d Inode: 67139111Links: 1Access: (0777/lrwxrwxrwx) Uid: (0/root) Gid: (0/root)Access: 2014-09-23 02:08:38.295890037 +0900Modify: 2014-08-18 02:53:43.335191310 +0900Change: 2014-08-18 02:53:43.335191310 +0900 Birth: -[root@localhost puppet]# stat -L /etc/init.d File: ‘/etc/init.d’ Size: 4096 Blocks: 8 IO Block: 4096 directoryDevice: fd01h/64769d Inode: 75105 Links: 2Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root)Access: 2014-09-23 05:22:27.351955472 +0900Modify: 2014-09-17 03:34:15.521690654 +0900Change: 2014-09-17 03:34:15.521690654 +0900 Birth: -{noformat}Instead tidy should explicitly set {{:links => :follow}} or at least have it configurable (or both).
Add Comment
This message was
Jira (PUP-3328) tidy should follow symlinks
Title: Message Title
Cosmin Lehene created an issue
Puppet / PUP-3328
tidy should follow symlinks
Issue Type:
Bug
Affects Versions:
3.x
Assignee:
Cosmin Lehene
Components:
Types and Providers
Created:
22/Sep/14 5:40 PM
Fix Versions:
3.7.2
Priority:
Normal
Reporter:
Cosmin Lehene
tidy uses Fileset which will use either stat or lstat (see code ) depending on :links => :manage | :follow and defaults to {{:manage }}(see code )
As tidy doesn't explicitly set :follow the results may vary if the target dir is a symlink. For example, if trying to tidy /etc/init.d which is a symlink to /etc/rc./d/init.d on CentOS 6/7 it won't work. However tidying /etc/init.d/ (trailing slash) will work.
Again this is consistent with how stat/lstat works
[root@localhost puppet]# stat /etc/init.d/
File: ‘/etc/init.d/’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 75105 Links: 2
Access: (
