Overview

CVE-2012-1053 (Local Group Privilege Escalation)

A bug in Puppet gives unexpected and improper group privileges to execs and types/providers.

When executing commands as a different user, Puppet leaves the forked process with Puppet's own group permissions. Specifically:

  • Puppet's primary group (usually root) is always present in a process's supplementary groups.
  • When an `exec` resource has a specified `user` attribute but not a `group` attribute, Puppet will set its effective GID to Puppet's own GID (usually root).
  • Permanently changing a process's UID and GID won't clear the supplementary groups, leaving the process with Puppet's own supplementary groups (usually including root).

This causes any untrusted code executed by a Puppet exec resource to be given unexpectedly high permissions.

Status

  • Resolved in Puppet 2.6.14 (source), 2.7.11 (source), rpm, deb
  • Resolved in Puppet Enterprise 1.2.5 and 2.0.3
  • Hotfixes available for Puppet Enterprise 1.0, 1.1, and 1.2.x

Hotfixes