(#14333) Ensure module permissions are sane.

Prior to this change, tarballs unpacked by the root user would be unpacked with the permissions and the ownership information present in the tarball. In the best case, this made some modules fail to function after installation since the newly installed module was owned by a different user. In the worst case, this could be seen as a fairly serious security vulnerability. This change ensures that the module's permissions are always owner-writable, world-readable, and that the owner is always the same as the module's parent directory.
puppetlabs · Aug 2, 2013 · 90d4180 · 90d4180
1 parent e160e99
commit 90d4180
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/lib/puppet/module_tool/applications/unpacker.rb b/lib/puppet/module_tool/applications/unpacker.rb
@@ -9,7 +9,8 @@ def initialize(filename, options = {})
         @filename = Pathname.new(filename)
         parsed = parse_filename(filename)
         super(options)
-        @module_dir = Pathname.new(options[:target_dir]) + parsed[:dir_name]
+        @module_path = Pathname(options[:target_dir])
+        @module_dir = @module_path + parsed[:dir_name]
       end
 
       def run
@@ -46,6 +47,9 @@ def extract_module_to_install_dir
             else
               Puppet::Util.execute("tar xzf #{@filename} -C #{build_dir}")
             end
+            Puppet::Util.execute("find #{build_dir} -type d -exec chmod 755 {} +")
+            Puppet::Util.execute("find #{build_dir} -type f -exec chmod 644 {} +")
+            Puppet::Util.execute("chown -R #{@module_path.stat.uid} #{build_dir}")
           rescue Puppet::ExecutionFailure => e
             raise RuntimeError, "Could not extract contents of module archive: #{e.message}"
           end

diff --git a/spec/unit/module_tool/applications/unpacker_spec.rb b/spec/unit/module_tool/applications/unpacker_spec.rb
@@ -36,6 +36,9 @@
     context "on linux" do
       it "should attempt to untar file to temporary location using system tar" do
         Puppet::Util.expects(:execute).with("tar xzf #{filename} -C #{build_dir}").returns(true)
+        Puppet::Util.expects(:execute).with("find #{build_dir} -type d -exec chmod 755 {} +").returns(true)
+        Puppet::Util.expects(:execute).with("find #{build_dir} -type f -exec chmod 644 {} +").returns(true)
+        Puppet::Util.expects(:execute).with("chown -R #{build_dir.stat.uid} #{build_dir}").returns(true)
         unpacker.run
       end
     end
@@ -48,6 +51,9 @@
       it "should attempt to untar file to temporary location using gnu tar" do
         Puppet::Util.stubs(:which).with('gtar').returns('/usr/sfw/bin/gtar')
         Puppet::Util.expects(:execute).with("gtar xzf #{filename} -C #{build_dir}").returns(true)
+        Puppet::Util.expects(:execute).with("find #{build_dir} -type d -exec chmod 755 {} +").returns(true)
+        Puppet::Util.expects(:execute).with("find #{build_dir} -type f -exec chmod 644 {} +").returns(true)
+        Puppet::Util.expects(:execute).with("chown -R #{build_dir.stat.uid} #{build_dir}").returns(true)
         unpacker.run
       end