compress old puppet reports
seth vidal
skvidal at fedoraproject.org
Tue May 17 19:06:00 UTC 2011
On Tue, 2011-05-17 at 18:59 +0200, Jan-Frode Myklebust wrote:
> On Tue, May 17, 2011 at 08:23:31AM -0400, seth vidal wrote:
> > >
> > > # clean up all but the last 1 month of puppet reports
> > > -/usr/sbin/tmpwatch --mtime 720 /var/lib/puppet/reports/
> > > +/sbin/runuser -s /bin/sh - puppet -c "/usr/sbin/tmpwatch --mtime 720 /var/lib/
>
> (scary how git diff cuts lines at end of terminal..)
I suspect git did not - but I cut and pasted it badly.
> It guards against symlink attack by anyone who can run something as
> user "puppet" and replace /var/lib/puppet/reports/ with a symlink to
> somewhere else (/).
if they can run something as puppet then they can trivially get to root
since they could overwrite the puppet recipes and take over the machine
that way, can't they?
> > >
> > > for host in `echo /var/lib/puppet/reports/*`
> > > do
> > > - /bin/ls -1 $host/*.yaml | head --lines=-48 | xargs --no-run-if-empty xz -9
> > > + /bin/ls -1 $host/*.yaml | head --lines=-48 | \
> > > + /sbin/runuser -s /bin/sh - puppet -c "xargs --no-run-if-empty xz -9"
>
> Guards against races before xargs and bugs in xz which might be processesing
> client controlled input. Would it be conceivable that xz can create a
> compressed file that cron will interpret as a cronjob if placed in
> /etc/cron.d? Similar to https://lwn.net/Articles/191080/ ?
no. I don't think it is - not without a previous exploit on the machine
replacing xz.
> I don't know, but I couldn't rule it out -- so I would much rather run
> the maintenance scripts with the correct privileges instead of root.
if we're going on 'but couldn't rule it out' we may as well just halt
the whole thing.
> > I'm not sure how it makes a hill of beans worth of difference.
> >
> > It makes no network connections and performs nothing controversial.
>
> "puppetmaster" running as "puppet" listens on the network, and has access
> to change these paths. But I'll agree it's probably not a big
> difference since the impact is mostly destroying a machine -- not owning
> it.. Would be great if there were some easier way to specify which user
> each cron.daily job should run as.
puppetmaster listens on the network and only accepts connections from
hosts which are auth'd by an ssl certificate/key.
I don't mind running them as puppet - but I do think this is a
questionable security analysis.
-sv
More information about the infrastructure
mailing list