[PUP-5704] The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't - Puppet Tickets

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Fixed
Affects Version/s: PUP 3.8.4, PUP 4.5.0, PUP 4.8.0, PUP 4.8.2, PUP 4.10.4
Fix Version/s: PUP 6.24.0, PUP 7.9.0
Component/s: None
Labels:
- doc-reviewed
Environment:

Debian Testing (stretch) with Puppet 3.8.4

Epic Link:
Security Fixes
Team:
Night's Watch
Story Points:
3
Sprint:
NW - 2021-06-30, NW - 2021-07-14

Release Notes:
Enhancement
Release Notes Summary:

Hide
The `exec` provider now supports commands provided as an array.
When the command is an Array of Strings, passed as `[cmdname, arg1, ...]` it will be executed directly(the first element is taken as a command name and the rest are passed as parameters to command with no shell expansion).

This is supported for the following exec parameters:
comand, onlyif, unless, refresh

Example:
exec { 'test':
  command => ['/bin/echo', '*'],
  unless => [['test', '-f', 'filename']],
}

Note that for` onlyif` and `unless`, because this parameters already accept multiple commands as an array, you need to pass the value as an array of array to take advantage of the new behaviour.

Show
The `exec` provider now supports commands provided as an array. When the command is an Array of Strings, passed as `[cmdname, arg1, ...]` it will be executed directly(the first element is taken as a command name and the rest are passed as parameters to command with no shell expansion). This is supported for the following exec parameters: comand, onlyif, unless, refresh Example: exec { 'test':   command => ['/bin/echo', '*'],   unless => [['test', '-f', 'filename']], } Note that for` onlyif` and `unless`, because this parameters already accept multiple commands as an array, you need to pass the value as an array of array to take advantage of the new behaviour.

Description

This issue was first reported here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809786

Hi,

the puppet type reference describes the "posix" provider of the "exec"
resource like this: [0]

posix
Executes external binaries directly, without passing through a shell or
performing any interpolation. This is a safer and more predictable way to
execute most commands, but prevents the use of globbing and shell built-ins
(including control logic like “for” and “if” statements).

However:

root@shepard:~# cat manifest.pp

$input = 'foo; if false; then exit 23; else exit 42; fi'

exec { "/bin/echo ${input}":

provider => 'posix',

root@shepard:~# puppet apply manifest.pp

Notice: Compiled catalog for shepard.kurtz.be in environment production in 0.04 seconds

Notice: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: foo

Error: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0]

Error: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: change from notrun to 0 failed: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0]

Notice: Finished catalog run in 0.08 seconds

root@shepard:~#

I'm not really sure what to make of this, but it seems... unexpected.
What do you guys think?

Best regards

Alexander Kurtz

[0] https://docs.puppetlabs.com/references/3.8.latest/type.html#exec-provider-posix

Attachments

Activity

People

Assignee:: Gheorghe Popescu

Reporter:: Alexander Kurtz

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2016/01/12 4:46 AM

Updated:: 2022/06/21 10:13 AM

Resolved:: 2021/07/04 11:51 PM