Issue #4347
closed
Uploading a puppet module with symlinks fails if selinux is enabled
Description
Steps to reproduce:
1. Make sure selinux is enabled
2. Upload a puppet module with symlinks to pulp.
Backtrace:
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) Traceback (most recent call last):
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) File "/usr/lib/python2.7/site-packages/pulp_puppet/plugins/importers/metadata.py", line 99, in _extract_json
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) tgz.extractall(path=extraction_dir)
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) File "/usr/lib64/python2.7/tarfile.py", line 2047, in extractall
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) self.extract(tarinfo, path)
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) File "/usr/lib64/python2.7/tarfile.py", line 2084, in extract
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) self._extract_member(tarinfo, os.path.join(path, tarinfo.name))
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) File "/usr/lib64/python2.7/tarfile.py", line 2168, in _extract_member
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) self.makelink(tarinfo, targetpath)
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) File "/usr/lib64/python2.7/tarfile.py", line 2247, in makelink
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) os.symlink(tarinfo.linkname, targetpath)
Jan 21 21:24:28 satellite pulp: pulp_puppet.plugins.importers.metadata:ERROR: [70eafa1b] (4676-29088) OSError: [Errno 13] Permission denied
Updated by bmbouter about 5 years ago
When it says "with symlinks to Pulp" is that a symlink file in the tarball that is pointing at target path like: /var/lib/pulp/...?
Updated by daviddavis about 5 years ago
No the symlinks are internal to the puppet module. They link some folders in the tests directory to the puppet module lib directory.
Updated by bmbouter about 5 years ago
Thanks for explaining that. I understand why a use would want to do that. It's a little scary though because this could be used to exfiltrate data off of Pulp servers right? It could point to /my/sensistive/secret and expose a CA cert. Granted other selinux mechanisms should prevent kernel-level read access on those other files, but in the layered security model of security we're removing one layer.
Isn't there a puppet dependency mechanism that would allow a module that depends on other modules to express that at the puppet class or module level?
Updated by daviddavis about 5 years ago
Thanks for explaining that. I understand why a use would want to do that. It's a little scary though because this could be used to exfiltrate data off of Pulp servers right? It could point to /my/sensistive/secret and expose a CA cert. Granted other selinux mechanisms should prevent kernel-level read access on those other files, but in the layered security model of security we're removing one layer.
I had the same concern around security.
Isn't there a puppet dependency mechanism that would allow a module that depends on other modules to express that at the puppet class or module level?
I'm not a puppet expert so I don't know. I would assume so though.
Updated by bmbouter about 5 years ago
I think they should use the "dependencies" field for their modules metadata. It can also reference standard lib or puppetforge locations as I understand it. The docs are here: https://puppet.com/docs/puppet/6.2/modules_metadata.html#reference-4908
If that's the case is this CLOSED - NOTABUG?
Updated by bmbouter about 5 years ago
recapping a convo from irc... This module isn't linking outside of itself, it's linking to another area within the tgz itself.
It would be possible to adjust selinux to allow for Pulp to make symlinks, and add code to "check that it's safe" in Pulp's application code. This is difficult to do correctly though and Pulp has had at least one (now resolved) CVE for similar implementation errors before. If a patch was available I would be OK to accept, but for the benefit and risk, I don't think it's something pulp_puppet should pursue.
Overall when the tarball is made, they could dereference the symlinks then. The user could apply this workaround before uploading things to Pulp also, even if they aren't the module author.
Updated by daviddavis about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
No word from downstream. I am closing this as WONTFIX until we hear that they need this.
.