Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6494

exec resources leak the command string when execution fails

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 4.10.0, PUP 5.0.0
    • Component/s: None
    • Labels:
    • Template:
    • Team:
      Systems Engineering
    • Story Points:
      1
    • Sprint:
      SE 2017-01-25, SE 2017-02-08, SE 2017-02-22, SE 2017-03-08
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      Added support for sensitive commands in the Exec resource type:
      command parameters that are specified as Sensitive.new(...) are now
      properly redacted when the command fails. This supports using data from lookup and hiera.
      Show
      Added support for sensitive commands in the Exec resource type: command parameters that are specified as Sensitive.new(...) are now properly redacted when the command fails. This supports using data from lookup and hiera.
    • QA Risk Assessment:
      Manual

      Description

      If an exec is run as an inline sh script with an eyaml'd password variable, the password will get logged in plaintext on the console and agent if it fails. loglevel and logoutput don't do anything in this situation, as it's the command that's being displayed, not the output of the command. It was suggested to make the command into a script and run it that way, but that presents putting the password plaintext in the script, not a viable long-term solution.

      Having the exec's inline sh script executed in this manner presents another issue. The same data is present in the cached catalog on agents in /opt/puppetlabs/puppet/cache/client_data/catalog/*.json. I imagine this issue is caught somewhere in https://tickets.puppetlabs.com/browse/PUP-1974.

      Just an idea to branch off of the "sensitive" resource type mentioned in PUP-1974: Most passwords and sensitve data will be coming from an eyaml'd variable(at least, in our scenario). If there were a setting in puppet.conf that would mark all eyaml data as "sensitive", hashing or masking it in logs and cached catalogs, that might take care of the lion's share of sensitive information leaks. This would be in addition to being able "to give manifest/module authors the ability to specify resource properties (such as attributes or titles) which are sensitive".

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              john.duarte John Duarte
              Reporter:
              bconner22 Brian Conner
              QA Contact:
              John Duarte
              Votes:
              2 Vote for this issue
              Watchers:
              16 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support