Jira (PUP-11436) No longer used files and directories should be cleaned on upgrade

[Elaine McCloskey (Jira)]

Elaine McCloskey created an issue

Puppet / PUP-11436 No longer used files and directories should be cleaned on upgrade Issue Type: Improvement Assignee: Unassigned Created: 2022/01/26 4:51 AM Priority: Normal Reporter: Elaine McCloskey There were changes to the location of files between Puppet 5 and Puppet 6 in windows: From https://github.com/puppetlabs/puppet-specifications/blob/master/file_paths.md#puppet-agent-6-windows To make the paths in the Windows agent more consistent with other platforms, install paths have changed as follows: The base of the ruby installation has moved from C:\Program Files\Puppet Labs\Puppet\sys\ruby to C:\Program Files\Puppet Labs\Puppet\puppet Tools (like elevate.exe) have similarly moved from C:\Program Files\Puppet Labs\Puppet\sys\tools to C:\Program Files\Puppet Labs\Puppet\puppet\bin The agent components facter, hiera, and pxp-agent no longer have their own dedicated install locations at C:\Program Files\Puppet Labs\Puppet\<component-name>; they are installed to the same prefix as other projects (C:\Program Files\Puppet Labs\Puppet\puppet) Currently, on an upgrade from puppet 5 to puppet 6 these old files and directories are left in place. This results in issues such as security scanners flagging vulns in old versions that are no longer actually used. Old files and directories no longer used should be cleaned up as part of the upgrade process.  Add Comment

This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)

[Elaine McCloskey (Jira)]

Elaine McCloskey updated an issue

Puppet / PUP-11436 No longer used files and directories should be cleaned on upgrade

Change By: Elaine McCloskey Affects Version/s: PUP 6.25.1

Add Comment

[Darren Gipson (Jira)]

Darren Gipson commented on PUP-11436

Re: No longer used files and directories should be cleaned on upgrade Given that leaving older files around will increase the likelihood of more security issues, please can you update all future Puppet agent installers to remove legacy folders if found on a system. IE, If we upgrade a Agent from 6->7 and the server previously had 5, then upgrade process should clean up the mess that the previous upgrade left.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11436

No longer used files and directories should be cleaned on upgrade

Change By: Josh Cooper Team: Phoenix

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-11436

Re: No longer used files and directories should be cleaned on upgrade liam.sexton I don't believe the left behind files are a security concern because when puppet and pxp-agent services run, we explicitly manage their PATH environment variables to only include the new directory locations and trusted directories: puppet The puppet service hard codes the PATH as: C:\Program Files\Puppet Labs\Puppet\puppet\bin;C:\Program Files\Puppet Labs\Puppet\bin;%PATH% pxp-agent The pxp-agent service PATH is specified in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pxp-agent\Parameters PATH=C:\Program Files\Puppet Labs\Puppet\puppet\bin;%PATH% So in theory there should only be an issue if one of the directories in the PATH included vulnerable components left over after the upgrade. Since these directories: "C:\program files\puppet labs\puppet\pxp-agent\bin" "C:\Program Files\Puppet Labs\Puppet\sys\ruby\bin" are not in the PATH used by either services, it should not be a problem. That said I'd recommend cleaning those up, either through a custom module or as a feature request to the puppet_agent module.

Add Comment