Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8707

Default basemodulepath should exclude /opt on Windows

    XMLWordPrintable

Details

    • Coremunity
    • CVE-2018-6513
    • Platform Core KANBAN
    • Needs Assessment
    • Security Fix
    • Puppet on Windows no longer includes /opt/puppetlabs/puppet/modules in its default basemodulepath as unprivileged users could create a {{C:\opt}} directory and escalate privileges.
    • Needs Assessment

    Description

      On Windows, basemodulepath defaults to C:/ProgramData/PuppetLabs/code/modules;C:/opt/puppetlabs/puppet/modules when running as a privileged user. An unprivileged user can drop a custom ruby fact into C:/opt/puppetlabs/puppet/modules/<module>/lib/facter/<fact>.rb and escalate privileges the next time the puppet service runs. This is possible because Windows allows all users to create directories in C:/

      The basemodulepath should not include /opt on Windows.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support