Jira (PUP-5704) The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

[Alexander Kurtz (JIRA)]

Alexander Kurtz created an issue

Puppet / PUP-5704 The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't Issue Type: Bug Affects Versions: PUP 3.8.4 Assignee: Unassigned Created: 2016/01/12 4:46 AM Environment: Debian Testing (stretch) with Puppet 3.8.4 Priority: Normal Reporter: Alexander Kurtz This issue was first reported here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809786 Hi, the puppet type reference describes the "posix" provider of the "exec" resource like this: [0] posix Executes external binaries directly, without passing through a shell or performing any interpolation. This is a safer and more predictable way to execute most commands, but prevents the use of globbing and shell built-ins (including control logic like “for” and “if” statements). However: cat manifest.pp $input = 'foo; if false; then exit 23; else exit 42; fi' exec { "/bin/echo $ {input} ": provider => 'posix', } puppet apply manifest.pp Notice: Compiled catalog for shepard.kurtz.be in environment production in 0.04 seconds Notice: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: foo Error: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0] Error: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: change from notrun to 0 failed: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0] Notice: Finished catalog run in 0.08 seconds I'm not really sure what to make of this, but it seems... unexpected. What do you guys think? Best regards Alexander Kurtz Add Comment

This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc)

[Alexander Kurtz (JIRA)]

Alexander Kurtz updated an issue

Puppet / PUP-5704 The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

Change By: Alexander Kurtz This issue was first reported here: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809786|https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809786]

Hi, the puppet type reference describes the "posix" provider of the "exec" resource like this: [0] posix Executes external binaries directly, without passing through a shell or performing any interpolation. This is a safer and more predictable way to execute most commands, but prevents the use of globbing and shell built-ins (including control logic like “for” and “if” statements). However:

# cat manifest.pp

$input = 'foo; if false; then exit 23; else exit 42; fi'

exec { "/bin/echo ${input}": provider => 'posix', }

# puppet apply manifest.pp

Notice: Compiled catalog for shepard.kurtz.be in environment production in 0.04 seconds Notice: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: foo Error: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0] Error: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: change from notrun to 0 failed: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0] Notice: Finished catalog run in 0.08 seconds

#

I'm not really sure what to make of this, but it seems... unexpected. What do you guys think? Best regards Alexander Kurtz

Add Comment

[Alexander Kurtz (JIRA)]

Alexander Kurtz updated an issue

Puppet / PUP-5704 The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't Change By: Alexander Kurtz

This issue was first reported here: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809786 |https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809786 ] Hi, the puppet type reference describes the "posix" provider of the "exec" resource like this: [0] posix Executes external binaries directly, without passing through a shell or performing any interpolation. This is a safer and more predictable way to execute most commands, but prevents the use of globbing and shell built-ins (including control logic like “for” and “if” statements). However:

root@shepard:~ # cat manifest.pp

$input = 'foo; if false; then exit 23; else exit 42; fi' exec { "/bin/echo ${input}": provider => 'posix', }

root@shepard:~ # puppet apply manifest.pp

Notice: Compiled catalog for shepard.kurtz.be in environment production in 0.04 seconds Notice: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: foo Error: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0] Error: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: change from notrun to 0 failed: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0] Notice: Finished catalog run in 0.08 seconds

root@shepard:~ #

I'm not really sure what to make of this, but it seems... unexpected. What do you guys think? Best regards Alexander Kurtz

[0] [https://docs.puppetlabs.com/references/3.8.latest/type.html#exec-provider-posix]

Add Comment

[Markus Frosch (JIRA)]

Markus Frosch commented on PUP-5704

Re: The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't I guess this is related to [1], due to abstraction. The command is expanded earlier, but than ran flat with sh. [1] https://github.com/puppetlabs/puppet/blob/master/lib/puppet/util/execution.rb#L273

Add Comment

[Alexander Kurtz (JIRA)]

Alexander Kurtz commented on PUP-5704

Re: The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

This still happens with Puppet 4.5.0: {{root@shepard:~# puppet --version 4.5.0 root@shepard:~# cat manifest.pp

$input = 'foo; if false; then exit 23; else exit 42; fi'

exec { "/bin/echo $ {input} ": provider => 'posix', } root@shepard:~# puppet apply manifest.pp Notice: Compiled catalog for shepard in environment production in 0.08 seconds

Notice: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: foo Error: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0] Error: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: change from notrun to 0 failed: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0]

Notice: Applied catalog in 0.05 seconds root@shepard:~#}}

Add Comment

This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9)

[Alexander Kurtz (JIRA)]

Alexander Kurtz updated an issue

Puppet / PUP-5704

The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

Change By: Alexander Kurtz Affects Version/s: PUP 4.5.0

Add Comment

[Henrik Lindberg (JIRA)]

Henrik Lindberg updated an issue

Puppet / PUP-5704 The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

ping Kylo Ginsberg Change By: Henrik Lindberg Scrum Team: Client Platform

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-5704 The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

Change By: Josh Cooper This issue was first reported here: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809786]

Hi, the puppet type reference describes the "posix" provider of the "exec" resource like this: [0] posix Executes external binaries directly, without passing through a shell or performing any interpolation. This is a safer and more predictable way to execute most commands, but prevents the use of globbing and shell built-ins (including control logic like “for” and “if” statements). However:

{noformat}

root@shepard:~# cat manifest.pp  $input = 'foo; if false; then exit 23; else exit 42; fi' exec { "/bin/echo ${input}": provider => 'posix', } root@shepard:~# puppet apply manifest.pp

Notice: Compiled catalog for shepard.kurtz.be in environment production in 0.04 seconds

Notice: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: foo Error: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0] Error: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: change from notrun to 0 failed: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0]

Notice: Finished catalog run in 0.08 seconds root@shepard:~#

{noformat}

I'm not really sure what to make of this, but it seems... unexpected. What do you guys think? Best regards Alexander Kurtz [0] [https://docs.puppetlabs.com/references/3.8.latest/type.html#exec-provider-posix]

Add Comment

[Alexander Kurtz (JIRA)]

Alexander Kurtz updated an issue

Puppet / PUP-5704 The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

Change By: Alexander Kurtz Affects Version/s: PUP 4.8.0

Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[Alexander Kurtz (JIRA)]

Alexander Kurtz commented on PUP-5704

Re: The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't Still happens with Puppet 4.8.0: {{ root@shepard:~# puppet --version 4.8.0

root@shepard:~# cat manifest.pp $input = 'foo; if false; then exit 23; else exit 42; fi'

exec { "/bin/echo $ {input}

": provider => 'posix', } root@shepard:~# puppet apply manifest.pp

Notice: Compiled catalog for shepard.informatik.tu-muenchen.de in environment production in 0.17 seconds

Notice: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: foo Error: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0] Error: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: change from notrun to 0 failed: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0]

Notice: Applied catalog in 0.05 seconds root@shepard:~# }}

Add Comment

[Alexander Kurtz (JIRA)]

Alexander Kurtz commented on PUP-5704

Re: The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

Still happens with Puppet 4.8.2: root@shepard:~# puppet --version 4.8.2

root@shepard:~# cat manifest.pp $input = 'foo; if false; then exit 23; else exit 42; fi'

exec { "/bin/echo $ {input}

": provider => 'posix', } root@shepard:~# puppet apply manifest.pp

Notice: Compiled catalog for shepard in environment production in 0.17 seconds

Notice: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: foo Error: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0] Error: /Stage[main]/Main/Exec[/bin/echo foo; if false; then exit 23; else exit 42; fi]/returns: change from notrun to 0 failed: /bin/echo foo; if false; then exit 23; else exit 42; fi returned 42 instead of one of [0]

Notice: Applied catalog in 0.09 seconds root@shepard:~#

Add Comment

[Alexander Kurtz (JIRA)]

Alexander Kurtz updated an issue

Puppet / PUP-5704

The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

Change By: Alexander Kurtz Affects Version/s: PUP 4.8.2

Add Comment

[Henrik Lindberg (JIRA)]

Henrik Lindberg updated an issue

Puppet / PUP-5704 The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

Change By: Henrik Lindberg Labels: triaged

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-5704 The "posix" provider of the "exec" resource seems to invoke a shell even though the documentation says it doesn't

Change By: Josh Cooper Security: Confidential

Add Comment

This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)