Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-11209

puppet agent silently skips augeas settings, possibly causing severe security problems

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • PUP 7.10.0
    • PUP 7.12.1, PUP 6.25.1
    • None
    • Night's Watch
    • 5
    • NW - 2021-09-08, NW - 2021-09-22, NW - 2021-10-06
    • Needs Assessment
    • Bug Fix
    • Hide
      Previously, all unknown resources were converted into a component (`Puppet::Type::Component`) by default and silently skipped when applying a catalog. This fix adds a new resource attribute that specifies the resource kind, which is used to differentiate between built-in types and user defined types. Now resources that are known and available on server node are also verified on the agent node which now fails when something unknown is found in the received catalog.
      Show
      Previously, all unknown resources were converted into a component (`Puppet::Type::Component`) by default and silently skipped when applying a catalog. This fix adds a new resource attribute that specifies the resource kind, which is used to differentiate between built-in types and user defined types. Now resources that are known and available on server node are also verified on the agent node which now fails when something unknown is found in the received catalog.
    • Needs Assessment

    Description

      Nasty Security and Configuration problem.

      I'm currently testing and migrating an older puppet configuration made for puppet 5 (as delivered with ubuntu 20.04) with puppet 7. Since Ubuntu doesn't deliver anything above puppet 5, I'm using

      server side: Ubuntu 20.04, running puppet server in the official puppet/puppetserver, latest version from today, running puppetserver 7.3.0, installing some modules through Puppetfile
      client side: Ubuntu 20.04, using the regular ruby package from ubuntu and the gem puppet 7.10.0

      I'm using the augeas {...}  resource type to configure several security relevant file, e.g. to turn password authentication off in /etc/ssh/sshd_config.

      I've noticed that puppet agent --test  ran smoothly and silently without any error message, reporting success, but did not execute the augeas commands. Therefore, the configured machine is running as if puppet was successful, but still with weak security options.

      This is highly dangerous.

      I did some debugging and found, that on the server side maybe thee module augeas_core was missing (which I have installed then) and on the client side the packages ruby-augeas and augeas-tools where not installed. Even then, it did not work, but silently reported success.

      The reason is that the ubuntu package ruby-augeas contains the file

      /usr/lib/ruby/vendor_ruby/augeas.rb

      which is never found by the puppet agent. strace reveals that the agent looks for augeas.rb on plenty of locations, but not there, and thus never finds it.

      Again, the agent does not report any problem, and silently finishes as if everything war running well, leaving files like /etc/ssh/sshd_config unconfigured.

      Whatever modules, gems, programs are missing or cannot be found, under no circumstances should puppet, neither server nor agent, ever report success for something it hasn't actually done.

      I'm not really sure whether this is a server or agent side problem. But since the agent (unsuccessfully) tries to find augeas.rb and /opt/puppetlabs/puppet/cache/client_data/catalog/hostname.json contains the translated ressource, this is rather an agent side problem.
       

       

       

       

       

      Attachments

        Activity

          People

            victor.bobosila Victor Bobosila
            hadmut Hadmut Danisch
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Zendesk Support