Jira (PUP-11015) The "posix" provider of the "exec" resource does not fullfil the documentation

26 views
Skip to first unread message

Felix (Jira)

unread,
Apr 6, 2021, 2:32:04 PM4/6/21
to puppe...@googlegroups.com
Felix moved an issue
 
Puppet / Bug PUP-11015
The "posix" provider of the "exec" resource does not fullfil the documentation
Change By: Felix
Key: CPR PUP - 776 11015
Project: Community Package Repository Puppet
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo

Mihai Buzgau (Jira)

unread,
Apr 7, 2021, 1:35:05 AM4/7/21
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Labels: community

Josh Cooper (Jira)

unread,
Apr 19, 2021, 6:51:04 PM4/19/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
The documentation for the posix provider states:
> Executes external binaries directly, without passing through a shell or performing any interpolation. This is a safer and more predictable way to execute most commands, but prevents the use of globbing and shell built-ins (including control logic like “for” and “if” statements).

This is not the case at all:

Consider this resource:
{code:puppet}
 exec{'testexec':
   command => '/bin/echo $SHELL',
   logoutput => true
}
 {code}
 or this:

 {code:puppet}
 exec{'testexec':
   command => '/bin/echo *',
  logoutput => true
}
 {code}

This logic seems to be triggered deep down in ruby, which, when a single string is passed to "Kernel.exec", runs it only without a shell, if it does not detect a shell special character or special word, see [https://github.com/ruby/ruby/blob/5f69a7f60467fa58c2f998daffab43e118bff36c/process.c#L2676]

So from my point of view the only difference between the "posix" and the "shell" provider seems to be, that the "posix" provider tries to validate that the first "word" is an absolute path to an executable. Note that this validation is also a bit "misleading" or just incomplete/wrong. Consider this command:
 {code:puppet}
 exec{'testexec':
   command => '"/bin/echo"o *',
  logoutput => true
}
 {code}

This command will pass the validation (as the check will assume the command is "/bin/echo"), however the command is "/bin/echoo", which does not exist.

Or inverse, consider this:
 {code:puppet}
 exec{'testexec':
   command => '"/bin/ech"o *',
  logoutput => true
}
 {code}

The validation will reject execution, even though the command would perfectly pass through execution if it is let.

  

 So please clarify, what the benefit/differences between the "posix" and "shell" provider are and correct the documentation accordingly. Is there any way to execute the command without a shell (i.e. specify the command as string array)?

Josh Cooper (Jira)

unread,
Apr 19, 2021, 6:55:01 PM4/19/21
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (Jira)

unread,
Apr 19, 2021, 6:55:02 PM4/19/21
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Unassigned

Felix (Jira)

unread,
May 18, 2021, 4:27:02 AM5/18/21
to puppe...@googlegroups.com
Felix commented on Bug PUP-11015
 
Re: The "posix" provider of the "exec" resource does not fullfil the documentation

Hi, would you care to share any thoughts on this? I'd actually prefer this issue to be handled rather than letting it fall into oblivion, as this might on the one hand be very unexpected to puppet users and on the other hand might actually constitute a security issue for puppet users relying on the documentation when embedding not-completely-trusted values into commands during execution.
Reply all
Reply to author
Forward
0 new messages