[Pkg-puppet-devel] Bug#778891: puppet: systemd unit file does not load environment from /etc/default/puppet - breaks upgrades

Rik Theys Rik.Theys at esat.kuleuven.be
Sat Feb 21 11:25:56 UTC 2015 

Package: puppet
Version: 3.7.2-2
Severity: grave
Tags: patch security
Justification: user security hole


Hi,

During an upgrade from wheezy to jessie, puppet was upgraded to 3.7.2 and systemd
became the default init system.

In our environment, our puppet master is not called "puppet" and we override this
setting using the DAEMON_OPTS variable in /etc/default/puppet:

DAEMON_OPTS="--server our-puppet-master.ourdomain.tld"

The wheezy (and jessie) init script supports this, but the systemd unit file for 
puppet does not read this environment file and defaults back to the "puppet" DNS
name for puppet masters.

The fix for this is simple and a patch for the systemd unit file is attached:
the unit file should have an EnvironmentFile statement to load the environment
from /etc/default/puppet (if it exists).

The patch only brings back support for the DAEMON_OPTS option, and not for the
variable to prevent startup.

I've flagged this as security as an upgrade from wheezy to jessie could open a 
system to a puppet server controlled by someone else. In case the puppet client
did not yet have signed certificate it could be signed by the "puppet" puppet
master, which could then execute arbitrary actions on the system.

I did not check if the postinst script only enables the systemd unit when the
START variable in /etc/default/puppet is set to "yes". If it doesn't, the
puppet service will be started on upgrades to jessie (and systemd), even if it
was disabled before. It would also introduce the problem above by contacting
the wrong puppet master.

Regards,

Rik



-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages puppet depends on:
ii  init-system-helpers         1.22
ii  puppet-common               3.7.2-2
ii  ruby                        1:2.1.0.4
ii  ruby2.1 [ruby-interpreter]  2.1.5-1

puppet recommends no packages.

Versions of packages puppet suggests:
pn  etckeeper   <none>
pn  puppet-el   <none>
pn  vim-puppet  <none>

-- Configuration Files:
/etc/default/puppet e3a89dd703e6b796ef7889ba75af2df7 [Errno 2] No such file or directory: u'/etc/default/puppet e3a89dd703e6b796ef7889ba75af2df7'
/etc/logrotate.d/puppet 037c34a239a8895833388ccfce278adc [Errno 2] No such file or directory: u'/etc/logrotate.d/puppet 037c34a239a8895833388ccfce278adc'

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: puppet-environmentfile.patch
Type: text/x-diff
Size: 345 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20150221/2ec5f2ac/attachment.patch>

More information about the Pkg-puppet-devel mailing list