Bug #3033

Using temporary files in /tmp to comunicate with child processes is problematic in SELinux

Added by Markus Roberts about 2 years ago. Updated about 1 year ago.

Status:Investigating Start date:01/12/2010
Priority:Normal Due date:
Assignee:- % Done:

0%
Category:exec
Target version:-
Affected Puppet version:0.25.2 Branch:
Keywords:
Votes: 0

Description

The present approach is necessitated by the more common / severe locking and race conditions that arise when trying to implement a cross-platform solution based on pipes (see related tickets, below).

There are two possible solutions here, both should be explored:

  • Try to diagnose why the code developed on #3013 failed as described on #3025
  • Perhaps more pragmatically, see if moving the temp files presently used in lieu of pipes to some other directory would placate SELinux.

0001-Use-a-pipe-instead-of-a-temp-file-for-command-output.patch (6.4 kB) Ricky Zhou, 05/17/2010 03:49 am

Related issues

related to Puppet - Bug #1563: [PATCH] Change Util::Execute to use pipes instead of temp... Duplicate 09/07/2008
related to Puppet - Bug #3013: util.rb:execute broken on Ruby <1.8.3 Closed 01/07/2010
related to Puppet - Bug #2997: Puppet hangs on executable under HP-UX Closed 12/30/2009
related to Puppet - Bug #2731: problem communicating with processes in SELinux Closed 10/16/2009
related to Puppet - Bug #3025: apt and aptitude providers dont work on Debian Lenny / pu... Closed 01/10/2010
related to Puppet - Bug #3023: Tests needed to show that "exec"ed scripts don't get pare... Closed 01/08/2010
related to Puppet - Feature #410: Puppet::Util#execute needs to support a timeout Closed

History

#1
Updated by Todd Zullinger about 2 years ago

Markus, using another directory would indeed help ease SELinux concerns AFAIK. As Dan Walsh (the main selinux-policy maintainer for RHEL and Fedora noted in “Fedora bug #553565”:https://bugzilla.redhat.com/show_bug.cgi?id=553565:

Make it simple, if you are running a process as root, DONT write to a directory where processes running as NON ROOT can muck around. UNLESS it is APSOLUTELY Necessary.

Users are evil. :)

A similar bug is what prompted us to inquire about tightening the permissions on /var/run/puppet, which defaults to 1777. We now patch that in the packages for Fedora and EPEL, as we can ensure that the needed user/group exists.

If puppet were to use a dir that only the puppet user had write access to for such files, I believe that would allow selinux-policy to allow the actions it is now denying. If everything using files in /tmp used the Tempfile module, we could perhaps even just set the TMPDIR env variable and make it easily configurable for folks.

#2
Updated by James Turnbull about 2 years ago

  • Target version changed from 0.25.4 to 0.25.5

#3
Updated by James Turnbull almost 2 years ago

  • Target version changed from 0.25.5 to 49

#4
Updated by Ricky Zhou over 1 year ago

Hi, sorry I stopped updating this for the past few months. I have more time to keep looking into it now. Here is the most recent patch that I have for this issue (it is basically a retyped copy of the latest patch we were discussing on ticket #3013).

I’m lost in all the tickets surrounding this issue right now – can anybody remember which test/use case this version fails? Looking at the code, there should only be one situation where it is possible for this code to hang forever after the child is finished executing—-if the program that is being executed forks and exits, and its forked child continues writing to stdout/stderr, the select will continue to succeed and cause output to continue to be read continuously. This is a pretty pathological (and hopefully rare) case though.

#5
Updated by James Turnbull about 1 year ago

  • Target version deleted (49)

Also available in: Atom PDF