CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [15.2.0](https://github.com/theforeman/puppet-foreman_proxy/tree/15.2.0) (2020-09-23)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/15.1.0...15.2.0)
+
+**Implemented enhancements:**
+
+- Fixes [\#30489](https://projects.theforeman.org/issues/30489) - CVE-2020-14335 world-readable OMAPI [\#614](https://github.com/theforeman/puppet-foreman_proxy/pull/614) ([ezr-ondrej](https://github.com/ezr-ondrej))
+- Fixes [\#30489](https://projects.theforeman.org/issues/30489) - CVE-2020-14335 dhcpd.conf permissions [\#615](https://github.com/theforeman/puppet-foreman_proxy/pull/615) ([ezr-ondrej](https://github.com/ezr-ondrej))
+
+**Fixed bugs:**
+
+- Fixes [\#30072](https://projects.theforeman.org/issues/30072) - update grub default template [\#598](https://github.com/theforeman/puppet-foreman_proxy/pull/598) ([lzap](https://github.com/lzap))
+
 ## [15.1.0](https://github.com/theforeman/puppet-foreman_proxy/tree/15.1.0) (2020-08-20)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/15.0.0...15.1.0)

HISTORY.md

@@ -1,3 +1,16 @@
+## [15.2.0](https://github.com/theforeman/puppet-foreman_proxy/tree/15.2.0) (2020-09-23)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/15.1.0...15.2.0)
+
+**Implemented enhancements:**
+
+- Fixes [\#30489](https://projects.theforeman.org/issues/30489) - CVE-2020-14335 world-readable OMAPI [\#614](https://github.com/theforeman/puppet-foreman_proxy/pull/614) ([ezr-ondrej](https://github.com/ezr-ondrej))
+- Fixes [\#30489](https://projects.theforeman.org/issues/30489) - CVE-2020-14335 dhcpd.conf permissions [\#615](https://github.com/theforeman/puppet-foreman_proxy/pull/615) ([ezr-ondrej](https://github.com/ezr-ondrej))
+
+**Fixed bugs:**
+
+- Fixes [\#30072](https://projects.theforeman.org/issues/30072) - update grub default template [\#598](https://github.com/theforeman/puppet-foreman_proxy/pull/598) ([lzap](https://github.com/lzap))
+
 ## [15.1.0](https://github.com/theforeman/puppet-foreman_proxy/tree/15.1.0) (2020-08-20)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/15.0.0...15.1.0)

files/grub.cfg

@@ -1,35 +1,11 @@
-# This file was deployed by Puppet and is under Smart Proxy control. Click on
-# "Build PXE Default" button to overwrite it. Puppet is prevented from managing this
-# file by default, this can be enforced via --foreman-proxy-tftp-replace-grub2-cfg
-# foreman-installer option or Puppet parameter.
-
-insmod regexp
-
-# On Debian/Ubuntu grub2 does not have patch for loading MAC-based configs. Also, due to a bug
-# in RHEL 7.4, files are loaded with an extra ":" character at the end. This works around both
-# cases, and makes sure "regexp.mod" file is present on the TFTP server. For more info see:
-# https://bugzilla.redhat.com/show_bug.cgi?id=1370642#c70
-regexp --set=1:m1 --set=2:m2 --set=3:m3 --set=4:m4 --set=5:m5 --set=6:m6 '^([0-9a-f]{1,2})\:([0-9a-f]{1,2})\:([0-9a-f]{1,2})\:([0-9a-f]{1,2})\:([0-9a-f]{1,2})\:([0-9a-f]{1,2})' "$net_default_mac"
-mac=${m1}-${m2}-${m3}-${m4}-${m5}-${m6}
-configfile=/grub2/grub.cfg-01-$mac
-source "$configfile"
-
-# If MAC-specific config is not found, attempt to boot from local drive.
-
-default=local_chain_hd0
-timeout=20
-
-menuentry 'Chainload into BIOS bootloader on first disk' --id local_chain_hd0 {
-  set root=(hd0,0)
-  chainloader +1
-}
-
-menuentry 'Chainload into BIOS bootloader on second disk' --id local_chain_hd1 {
-  set root=(hd1,0)
-  chainloader +1
-}
-
-menuentry 'Third disk - for EFI or Discovery click on Build PXE Default'' --id local_chain_hd2 {
-  set root=(hd2,0)
-  chainloader +1
-}
+echo "This system was not recognized by Foreman."
+echo ""
+echo "Click on 'Build PXE Default' in the Foreman interface"
+echo "to create the default global grub.cfg configuration."
+echo ""
+echo "The system will attempt to chainload from first HDD"
+echo "in 10 minutes..."
+echo ""
+sleep 600
+set root=(hd0,0)
+chainloader +1

manifests/params.pp

@@ -58,7 +58,7 @@
 
       $dhcp_config = '/etc/dhcp/dhcpd.conf'
       $dhcp_leases = '/var/lib/dhcp/dhcpd.leases'
-      $dhcp_manage_acls = false
+      $dhcp_manage_acls = true
 
       $keyfile  = '/etc/bind/rndc.key'
       $nsupdate = 'dnsutils'

manifests/proxydhcp.pp

@@ -31,14 +31,31 @@
     $failover = undef
   }
 
+  if $foreman_proxy::dhcp_manage_acls {
+    $conf_dir_mode = '0750'
+  } else {
+    # CVE-2020-14335 - if there is a DHCP omapi key set, it may end up being world readable
+    case $facts['os']['family'] {
+      'RedHat': {
+        warning('support for dhcp without acls is deprecated, dhcp config may end up unreadable to the smart-proxy')
+      }
+      'Debian': {
+        warning('support for dhcp without acls is deprecated, your dhcp OMAPI key may end up world readable')
+      }
+      default: {}
+    }
+    $conf_dir_mode = undef
+  }
+
   class { 'dhcp':
-    dnsdomain   => $foreman_proxy::dhcp_option_domain,
-    nameservers => $nameservers,
-    interfaces  => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces,
-    pxeserver   => $ip,
-    pxefilename => $foreman_proxy::dhcp_pxefilename,
-    omapi_name  => $foreman_proxy::dhcp_key_name,
-    omapi_key   => $foreman_proxy::dhcp_key_secret,
+    dnsdomain     => $foreman_proxy::dhcp_option_domain,
+    nameservers   => $nameservers,
+    interfaces    => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces,
+    pxeserver     => $ip,
+    pxefilename   => $foreman_proxy::dhcp_pxefilename,
+    omapi_name    => $foreman_proxy::dhcp_key_name,
+    omapi_key     => $foreman_proxy::dhcp_key_secret,
+    conf_dir_mode => $conf_dir_mode,
   }
 
   ::dhcp::pool{ $facts['networking']['domain']:
@@ -53,14 +70,12 @@
 
   if $foreman_proxy::dhcp_manage_acls {
 
-    package {'acl':
-      ensure => 'installed',
-    }
+    ensure_packages(['grep', 'acl'])
 
-    ['/etc/dhcp', '/var/lib/dhcpd'].each |$path| {
+    [$dhcp::dhcp_dir, dirname($foreman_proxy::dhcp_leases)].each |$path| {
       exec { "Allow ${foreman_proxy::user} to read ${path}":
         command => "setfacl -R -m u:${foreman_proxy::user}:rx ${path}",
-        path    => '/usr/bin',
+        path    => ['/bin', '/usr/bin'],
         unless  => "getfacl -p ${path} | grep user:${foreman_proxy::user}:r-x",
         require => Package['acl'],
       }

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "theforeman-foreman_proxy",
-  "version": "15.1.0",
+  "version": "15.2.0",
   "author": "theforeman",
   "summary": "Foreman Smart Proxy configuration",
   "license": "GPL-3.0+",
@@ -24,7 +24,7 @@
     },
     {
       "name": "theforeman/dhcp",
-      "version_requirement": ">= 1.3.0 < 7.0.0"
+      "version_requirement": ">= 6.1.0 < 7.0.0"
     },
     {
       "name": "theforeman/foreman",

spec/acceptance/netboot_spec.rb

@@ -22,6 +22,6 @@
 
   describe file('/tmp/downloaded_file') do
     it { should be_file }
-    its(:content) { should match(/This file was deployed by Puppet and is under Smart Proxy control/) }
+    its(:content) { should match(/This system was not recognized by Foreman/) }
   end
 end

spec/classes/foreman_proxy__proxydhcp__spec.rb

@@ -18,6 +18,17 @@
         }
       end
 
+      let(:leases_dir) {
+        case facts[:osfamily]
+        when 'RedHat'
+          '/var/lib/dhcpd'
+        when 'Debian'
+          '/var/lib/dhcp'
+        else
+          '/var/db/dhcpd'
+        end
+      }
+
       context "on physical interface" do
         let :facts do
           facts.merge(
@@ -53,18 +64,20 @@
         context "as manager of ACLs for dhcp", unless: ['FreeBSD', 'DragonFly'].include?(facts[:osfamily]) do
           let(:params) { super().merge(dhcp_manage_acls: true) }
 
+          it { is_expected.to contain_class('dhcp').with_conf_dir_mode('0750') }
+
           it do should contain_exec('Allow foreman-proxy to read /etc/dhcp').
             with_command("setfacl -R -m u:foreman-proxy:rx /etc/dhcp")
           end
 
-          it do should contain_exec('Allow foreman-proxy to read /var/lib/dhcpd').
-            with_command("setfacl -R -m u:foreman-proxy:rx /var/lib/dhcpd")
+          it do should contain_exec("Allow foreman-proxy to read #{leases_dir}").
+            with_command("setfacl -R -m u:foreman-proxy:rx #{leases_dir}")
           end
         end
 
-        context "as manager of ACLs for dhcp for RedHat only by default" do
+        context "as manager of ACLs for dhcp for RedHat and Debian by default" do
           case facts[:osfamily]
-          when 'RedHat'
+          when 'RedHat', 'Debian'
             it do should contain_exec('Allow foreman-proxy to read /etc/dhcp').
               with_command('setfacl -R -m u:foreman-proxy:rx /etc/dhcp').
               with_unless('getfacl -p /etc/dhcp | grep user:foreman-proxy:r-x')
@@ -74,13 +87,13 @@
           end
 
           case facts[:osfamily]
-          when 'RedHat'
-            it do should contain_exec('Allow foreman-proxy to read /var/lib/dhcpd').
-              with_command("setfacl -R -m u:foreman-proxy:rx /var/lib/dhcpd").
-              with_unless('getfacl -p /var/lib/dhcpd | grep user:foreman-proxy:r-x')
+          when 'RedHat', 'Debian'
+            it do should contain_exec("Allow foreman-proxy to read #{leases_dir}").
+              with_command("setfacl -R -m u:foreman-proxy:rx #{leases_dir}").
+              with_unless("getfacl -p #{leases_dir} | grep user:foreman-proxy:r-x")
             end
           else
-            it { should_not contain_exec('Allow foreman-proxy to read /var/lib/dhcpd') }
+            it { should_not contain_exec("Allow foreman-proxy to read #{leases_dir}") }
           end
         end