Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5151

Don't allow remote filebuckets to be listed

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 4.3.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Story Points:
      2
    • Sprint:
      Client 2015-10-28
    • Release Notes:
      Not Needed
    • Release Notes Summary:
      Hide
      Puppet 4.3.0 adds the ability to list remote and local filebuckets (PUP-1388). However, listing remote file buckets is a security issue, since any node can retrieve any file backed up by any other node. This ticket ensures remote file buckets cannot be listed. Since we never released a version of puppet containing PUP-1388, there isn't a "bug" to document. Though we should mention in 1388 that only local file buckets can be listed, and I've updated that ticket's release summary.
      Show
      Puppet 4.3.0 adds the ability to list remote and local filebuckets ( PUP-1388 ). However, listing remote file buckets is a security issue, since any node can retrieve any file backed up by any other node. This ticket ensures remote file buckets cannot be listed. Since we never released a version of puppet containing PUP-1388 , there isn't a "bug" to document. Though we should mention in 1388 that only local file buckets can be listed, and I've updated that ticket's release summary.

      Description

      PUP-1388 made it possible to list remote filebuckets (and has not yet been released). When combined with the default auth.conf granting all authenticated nodes read/write access to the filebucket, then any authenticated node can trivially download all files that have ever been filebucketed from all nodes.

      This is technically possible today, but much harder, because the node can only ask for files by checksum, and doesn't know what other files have been backed up by other nodes.

      We should only allow the list command to work with local filebuckets.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                qa qa
                Reporter:
                josh Josh Cooper
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support