Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8707

Default basemodulepath should exclude /opt on Windows

    Details

    • Release Notes:
      Security Fix
    • Release Notes Summary:
      Puppet on Windows no longer includes /opt/puppetlabs/puppet/modules in its default basemodulepath as unprivileged users could create a {{C:\opt}} directory and escalate privileges.
    • QA Risk Assessment:
      Needs Assessment

      Description

      On Windows, basemodulepath defaults to C:/ProgramData/PuppetLabs/code/modules;C:/opt/puppetlabs/puppet/modules when running as a privileged user. An unprivileged user can drop a custom ruby fact into C:/opt/puppetlabs/puppet/modules/<module>/lib/facter/<fact>.rb and escalate privileges the next time the puppet service runs. This is possible because Windows allows all users to create directories in C:/

      The basemodulepath should not include /opt on Windows.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                josh Josh Cooper
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support