Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-1831

cf-runagent options passed to cf-agent should be shell escaped

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.7.0
    • Component/s: cf-runagent
    • Labels:
      None

      Description

      One of the tenets of Cfengine is that no remote agent can execute commands on a host.

      But cf-runagent can (and presumably, for some time has been able to) bypass that tenet.

      E.g.:

      <pre>
      cf-runagent -H 198.51.100.37 -o '$(echo "VULNERABLE" > /tmp/vulnerable)'
      </pre>

      Then check /tmp/vulnerable on the target system.

      This doesn't allow a user to do anything other than they are already allowed to do (e.g., must have root access on the hub, they could just as easily write commands promises) so I wouldn't necessarily classify this as a security issue. But it does violate the control model that cfengine has defined.

      Proposal (for minor release, not patch):

      • Remove cf-runagent -o without replacement (both cf-serverd and cf-runagent)
      • Make cf-runagent -D stricter by allowing only one class to be passed, and validating that it matches the pattern of a class, e.g. "a-zA-Z0-9_", (both cf-serverd and cf-runagent)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              a10038 jimis (Dimitrios Apostolou)
              Reporter:
              bahamat Brian Bennett
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 day, 5 hours
                  1d 5h
                  Remaining:
                  Not Specified
                  Logged:
                  Time Not Required
                  Not Specified