thr3ads.net - Puppet users - [Puppet Users] heads up: plusignment on users groups is potentially dangerous [Apr 2010]

If this information is useful, please help other people find it:
Share via:

ant

2010-Apr-14 12:25 UTC

[Puppet Users] heads up: plusignment on users groups is potentially dangerous

I just logged a bug http://projects.puppetlabs.com/issues/3556 which
details an issue, where doing:

User["sysadmin", "pleb"] { groups +> "wwwadm" }

unexpectedly gives user pleb ALL of sysadmin''s groups...   It created
a bit of a security issue for me here, as a bunch of plebs were
suddenly granted sudo rights to all kinds of things merely because I
tried to make a few manifests more concise...

Doing this is safe:

User["sysadmin"] { groups +> "wwwadm" }
User["pleb"] { groups +> "wwwadm" }

I am on 0.25.4, haven''t tried other versions yet, just a "heads
up!".

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Puppet users - Apr 2010 - heads up: plusignment on users groups is potentially dangerous

[Puppet Users] heads up: plusignment on users groups is potentially dangerous