A bug in Puppet gives unexpected and improper group privileges to execs and types/providers.
When executing commands as a different user, Puppet leaves the forked process with Puppet's own group permissions. Specifically:
- Puppet's primary group (usually root) is always present in a process's supplementary groups.
- When an `exec` resource has a specified `user` attribute but not a `group` attribute, Puppet will set its effective GID to Puppet's own GID (usually root).
- Permanently changing a process's UID and GID won't clear the supplementary groups, leaving the process with Puppet's own supplementary groups (usually including root).
This causes any untrusted code executed by a Puppet exec resource to be given unexpectedly high permissions.
- Resolved in Puppet 2.6.14 (source), 2.7.11 (source), rpm, deb
- Resolved in Puppet Enterprise 1.2.5 and 2.0.3
- Hotfixes available for Puppet Enterprise 1.0, 1.1, and 1.2.x