Details
-
Bug
-
Status: Accepted
-
Normal
-
Resolution: Unresolved
-
PUP 4.7.0
-
None
-
OS: linux
Platform: puppet installed as gem and no libshadow
-
-
Phoenix
-
Needs Assessment
Description
Issue
When libshadow is not present on a client, the agent will silently not set the password for a user. In this case silence is not golden because a system can become insecure (e.g. rotating root passwords) and there is no report of the failure to update the password.
Repro
Dockerfile:
FROM centos:7
|
|
|
RUN rpm -Uvh https://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm && \
|
yum install -y puppet-3.8.7
|
run.sh:
#!/bin/bash
|
|
|
echo "==> Setting password for bob to 'alice'..." |
puppet apply -tv --execute "user {'bob': password => 'alice', }" |
grep bob /etc/shadow |
echo
|
|
|
rpm --nodeps --erase ruby-shadow
|
echo "==> Setting password for bob to 'robert'..." |
puppet apply -tv --execute "user {'bob': password => 'robert', }" |
grep bob /etc/shadow |
$ docker run --rm -t -v $PWD/run.sh:/run.sh puppet /run.sh |
==> Setting password for bob to 'alice'... |
Notice: Compiled catalog for b2a735570f73.local in environment production in 0.16 seconds |
Info: Applying configuration version '1493591675' |
Notice: /Stage[main]/Main/User[bob]/ensure: created |
Info: Creating state file /var/lib/puppet/state/state.yaml |
Notice: Finished catalog run in 0.50 seconds |
bob:alice:17286:0:99999:7:::
|
|
|
==> Setting password for bob to 'robert'... |
Notice: Compiled catalog for b2a735570f73.local in environment production in 0.15 seconds |
Info: Applying configuration version '1493591678' |
Notice: Finished catalog run in 0.04 seconds |
bob:alice:17286:0:99999:7:::
|
