| Currently tasks run with the run-as option rely on laying down a wrapper script to direct task input data over stdin. There are several issues with this approach, the first is that the wrapper script can contain sensitive data in clear text. A ticket describing an idea to minimize the time the wrapper script lives on disk has been filed under https://tickets.puppetlabs.com/browse/BOLT-1329 The second issue described has to do with file permissions of the wrapper script when run on the local transport which is ticketed under https://tickets.puppetlabs.com/browse/BOLT-1283 Instead of relying on the wrapper script we should investigate a solution that does not involve one. The solution should be able to safely pass the input data (even if it is very large) to the task over stdin even if it is ambigious whether a sudo password is required. The solution should avoid problems with passing the data over the bash CLI such as Argument list too long and exposing the sensitive data in the process list or in the shell history. A commit with some discussion and potential pitfalls is https://github.com/puppetlabs/bolt/pull/1109 From Nlew on slack:
The root issue is that there’s only one stdin, and both the password for sudo and the parameters of the task need to be on stdin. But the password should only be on stdin if sudo asks for it. But we don’t know how to conclusively determine that sudo doesn’t need the password.
So we skirt around that by wrapping the task executable in a script that also passes its stdin, so in the case where sudo doesn’t need the password, it will just start executing the script, which will pass stdin to the task.
Ansible’s solution is basically to instead run sudo 'echo "okay done with sudo, please pass stdin now"; /path/to/actual/task, and then it waits to see the “done with sudo” message before passing the task parameters on stdin |
