Jira (PUP-6471) Add toggle to disable symlinks in the file server
Title: Message Title Rob Braden created an issue Puppet / PUP-6471 Add toggle to disable symlinks in the file server Issue Type: Improvement Assignee: Unassigned Created: 2016/07/04 10:26 PM Priority: Normal Reporter: Rob Braden The fileserver functionality of puppet (https://docs.puppet.com/puppet/latest/reference/config_file_fileserver.html) follows symlinks. While this is not an issue in simple deployments, if the fileserver is used to serve files from mixed trust sources; its possible that a symlink was placed under the fileserver's root that references say /. It would then be possible to read arbitrary files as the puppet service, such as private keys and eyaml keys. What would be great is a fileserver.conf option to not follow symlinks. This way if the fileserver directory has a mixed trust level, an upstream compromise or other attack won't allow a compromise of puppet itself. For example, puppet's fileserver might be a NFS share mounted from a remote host. With symlinks enabled, puppet now has to fully trust the remote share and the network as NFS is vuln to MITM. Add Comment
Jira (PUP-6471) Add toggle to disable symlinks in the file server
Title: Message Title Henrik Lindberg updated an issue Puppet / PUP-6471 Add toggle to disable symlinks in the file server Change By: Henrik Lindberg Scrum Team: Puppet Server Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6471) Add toggle to disable symlinks in the file server
Title: Message Title Moses Mendoza commented on PUP-6471 Re: Add toggle to disable symlinks in the file server Thank you for filing this issue. We agree it is likely an improvement, but due to other issues demanding precedence, we don’t anticipate being able to address this any time soon. If you are interested in submitting a patch to the repository for this project at https://github.com/puppetlabs, please open a pull request and re-open this ticket. Pending that, we are closing this as “Won’t Fix.” We may revisit it at a later time, and if so will re-open this ticket. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
