cmd.run is available to the pillar renderer - a potential security vulnerability

[deuscapturus]

Description of Issue/Question

cmd.run is available to the pillar renderer. This essentially gives anybody with access author a pillar access to run any command on the salt-master.

Steps to Reproduce Issue

pillar

#!jinja|yaml
{%- set expose_master_secret = salt['cmd.run']('gpg --homedir /etc/salt/gpgkeys/ --export-secret-keys --armor') %}
master-gpg-secret: |
  {{ expose_master_secret|indent(2) }}

Versions Report

Salt Version:
           Salt: 2016.11.3

[thatch45]

While I think this is a legitimate concern I can also argue that pillar content should only come from a trusted source.
But I do think that we should allow for shell commands to be disabled in pillar rendering

[deuscapturus]

Thanks @thatch45

I would like to see an option that would limit the pillar renderer to a white-list of modules. For example we only ever use grains.get for pillar rendering.

[thatch45]

Yes, I think this would be wise

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[deuscapturus]

Still important to fix.

[stale]

Thank you for updating this issue. It is no longer marked as stale.

[eliasp]

While I think this is a legitimate concern I can also argue that pillar content should only come from a trusted source.

While the source might be trusted in terms of managing the infrastructure targeted by those Pillars, it might be not trusted at all to have access to the Master.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[deuscapturus]

Still important. I do not see any documentation limiting pillar rendering.

This should be fixed or Salt should declare pillar authoring privilege to be the same as master privilege. If the latter is chosen it should be clearly documented.