New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ensure => latest now broken after CVE-2022-24765 patch. #535
Comments
I just tried the latest release from forge v5.0.0, and the issue still exists. |
Poking around a bit, I... suspect it's due to a disconnect between the ... in my instance, I was specifying just the |
That actually makes a lot of sense. In our case the we are cloning the repo as a different user than the owner by specifying identity => /home/user/.ssh/id_rsa. I cannot confirm this, but will test using a single user. |
I also see this issue on Ubuntu 20.04 and git 1:2.25.1-1ubuntu3.3. I'm seeing it in the voxpupuli/puppetboard module, that indeed employs the The problem shows itself when vcsrepo tries to work out if the working copy already exists, by running
root and as user ):
For git 1:2.25.1-1ubuntu3.3, the result when ran as My current workaround is to downgrade to git 1:2.25.1-1ubuntu3.2, and to mark the git package as 'held'. Perhaps not ideal, but at least puppet runs again. |
I seemed to have fixed this by replacing all the calls to When |
@normelton : In what version? In the latest ... if I read correctly, in |
To resolve for now, I've taken to rolling a monkey-patch wrapping around the ... not the most comfortable with it, but we can live with this for now... ... almost... feels like separate resources for these entries should be created in some manner, so they can be managed more explicitly? Or have some kind of tie-in? Some kind of more general |
Ahh so we were back at 3.1.1. Moving to 5.0.0 fixed our problem. Thanks!!! |
FYI: I upgraded to 5.0.0 too (was on 3.2.1/4.0.1), and like @thepro101 I'm still seeing the issue. If I run puppet with
|
Workaround of @mergwyn wont work if you have different user to run git from and actual owner / group. Example when it fails :
So, basically, problem persist when you tries to checkout as root, but repo should have different user/group ownership |
This was to test if it fixed puppetlabs/puppetlabs-vcsrepo#535 for us. It doesn't, but should be fine otherwise.
Rather than checking them out as root and then changing their ownership later. This avoids extra work and also works around puppetlabs/puppetlabs-vcsrepo#535.
I think that this has nothing to do with In my case, the checked-out directory belongs to a dedicated user account and I can confirm that using |
git 2.35.2 introduced a remidy for a CVE. as such you cannot execute to resolve this, each local worktree directory matching this condition must be whitelisted explicitly using the multi-value git setting safe.directory i have not looked into the git source, but it seems this settings receives a stricter treatment than other git configuration values, i.e. you cannot configure it on the commandline or the config of a local worktree. the error message suggest you set it on the global scope, which is the users home directory. the problem with this, is, that Puppet::Util::Execution.execute clears out certain environment variables when running commands; HOME being one of them. to fix this issue, two things need to be done:
TL;DR git 2.35.2 introduced a security feature, which requires a config setting to make this puppet module to continue to work in all configuration scenarios. the location of this setting is currently unreachable as it relies on the HOME environment variable being set, which puppet explicitly undefines. |
resolves voxpupuli/puppet-puppetboard#355 |
@gerardkok you are referring to this commit voxpupuli/puppet-puppetboard@1935f97 but it was released only recently (2 days ago), probably you where not using the code that use |
We might want to highlight this as I and a whole bunch of other people missed it the first few times reading this:
|
|
are there any fixes for this? the safe.directory did not work for me |
Where did you put it? We had to put it in the system config, not the global (root user) config. |
what's interesting is first run of puppet is ok, it creates the /home/www and brings the data in, any subsequent runs of puppet fails with: change from 'absent' to 'latest' failed: Path /home/www exists and is not the desired repository. (corrective) |
On our systems (RedHat and Ubuntu), it is just If you run What we are doing: [root@host ~]# git config --system -l
include.path=/etc/gitconfig.d/puppet
[root@host ~]# cat /etc/gitconfig.d/puppet
# This file is managed by Puppet. DO NOT EDIT.
[safe]
directory = /var/www/sites/wiki.example.com/code/mediawiki-1.35-LTS
directory = /var/www/sites/wiki.example.com/sites
directory = /var/www/sites/www.example.com/cms
directory = /var/www/sites/www.example.com/local-cgi-bin
[root@host ~]# Our Puppet manifests: https://gist.github.com/yakatz/1df458814dcbc6f2604a5a9d9f2073d4 |
I actually see your problem (and the manifest I mentioned above would help you) - don't use a trailing slash |
I have removed the trailing slash but still have the same error
code used
first time puppet runs it creates the dir with all data in it as expected, subsequent runs fail with above error |
What is the output of What is the output of What if you go to that directory and run The output from those steps should tell you exactly what is wrong. To confirm, does your
|
so both have the same output (as root and as www)
I think I found the problem, I use vcsrepo to clone two different repo's in the same /home/www repo1 to /home/www does vcsrepo support this ? |
@david-peters-aitch2o I just tested that and also had no issues. When you run as your |
Hey everyone 👋 . I'm going to be investigating this issue and will hopefully get a resolution soon. It's been great reading through all of the suggestions/investigation that everyone has been doing. I think this is a tricky one given that the issue was caused by a CVE remediation. We need to be mindful that we do not re-introduce a vulnerability again (e.g blanket allow). I see that there are a few suggestions for using the system wide I'll do some more research and hopefully will update next week! |
As long as the For us, Puppet is cloning most repositories as Separately, this has caused us to reevaluate whether things should really be pushed out with |
We can easily add |
If managing |
Hey everyone! Just wanted to post a quick update. Here is a very early PR with a fix for this issue: #549 @yakatz I liked your suggestion of adding a new parameter. I liked that it was an explicit choice for the user. There are a couple of things with the git versions that I need to think about. For example, the patched version of git that introduces the CVE mitigation is 2.35.1 however on ubuntu this has been back-ported in to 1:2.25.1-1ubuntu3.4. This means that we can't just do a version compare and apply config if git is above a certain version. Also I would have liked to have introduced a new property for this given that it is a measurable "thing" on the system. However, the type has ensurable values that call |
In addition to the above, the team has been talking about the possibilities of moving git back out in to its own module. There are a few of benefits here, mainly:
There is an archived git module which has some cool stuff we could lean from. Let us know what you think! |
Prior to this commit, users running newer versions of Git and setting the `owner` parameter on a resource would encounter an error during puppet runs. This commit fixes the issue by allowing users to add the path of the resources to Gits global `safe.directoy` configuration. This can be achieved by specifying `safe_directory => true` on a resource.
This commit adds a section to the README that briefly describes the CVE and our mitigation to errors caused by it's remediation in later Git versions.
Prior to this commit, users running newer versions of Git and setting the `owner` parameter on a resource would encounter an error during puppet runs. This commit fixes the issue by allowing users to add the path of the resources to Gits global `safe.directoy` configuration. This can be achieved by specifying `safe_directory => true` on a resource.
This commit adds a section to the README that briefly describes the CVE and our mitigation to errors caused by it's remediation in later Git versions.
This CVE patch was released on Debian Buster in the past few days, causing breakage there on system puppet (5.5.10-4). There doesn't seem to be a patch available for vcsrepo 3.2.1, the latest with Puppet 5 support. I'm not sure why my Bullseye machines don't seem to be affected. As a workaround, this WFM: once:
and then in my project-handling class:
|
Now affecting Bullseye (-security) as well - same workaround is effective as of:
|
Describe the Bug
After applying the patch for git on both ubuntu 18.04 and ubuntu 20.04 machines, puppet runs now fail.
change from 'absent' to 'latest' failed: Path /destination/path exists and is not the desired repository. (corrective)
Expected Behavior
Successful puppet run by cloning the desired repo to the desired location
Steps to Reproduce
update git to 1:2.25.1-1ubuntu3.3 on 20.04 and rerun puppet.
Environment
The text was updated successfully, but these errors were encountered: