Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-2781

cf-serverd should properly handle closing open quotes when EOF is seen in cfruncommand

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 3.7.3, 3.10.0, 3.7.7
    • Fix Version/s: 3.10.0, 3.12.0
    • Component/s: cf-serverd
    • Labels:

      Description

      cf-serverd in 3.7.x should properly terminate open quotes when reaching EOF in cfruncommand as happens in 3.10.x

      Manual Testing Procedure

      I spun up a 3.10.3 hub with a 3.7.3, 3.7.7 and 3.10.3 remote agents running the stock 3.10.3 MPF.

      From the hub I did a runagent against the 3.7.3 agent.

       verbose: Server is TRUSTED, received key 'SHA=a97346372843a7dee5f58980a9c88bca36538022b48c2e618590a04b0c07a76a' MATCHES stored one.
      192.168.33.3> cf-serverd executing cfruncommand: /bin/sh -c '
                                 "/var/cfengine/bin/cf-agent" -I -D cfruncommand -f /var/cfengine/inputs/update.cf  ;
                                 "/var/cfengine/bin/cf-agent" -I -Dcfruncommand
      192.168.33.3> -> sh: -c: line 0: unexpected EOF while looking for matching `''
      192.168.33.3> -> sh: -c: line 3: syntax error: unexpected end of file
       verbose: Connection to 192.168.33.3 is closed
      

      From the hub I did a runagent against the 3.7.7 agent.

      192.168.33.3> cf-serverd executing cfruncommand: /bin/sh -c '
                                "/var/cfengine/bin/cf-agent" -I -D cfruncommand -f /var/cfengine/inputs/update.cf  ;
                                "/var/cfengine/bin/cf-agent" -I -Dcfruncommand
      192.168.33.3> -> sh: -c: line 0: unexpected EOF while looking for matching `''
      192.168.33.3> -> sh: -c: line 3: syntax error: unexpected end of file
      verbose: Connection to 192.168.33.3 is closed
      

      From the hub I did a runagent against a 3.10.3 agent.

      192.168.33.3> cf-serverd executing cfruncommand: /bin/sh -c '
                                "/var/cfengine/bin/cf-agent" -I -D cfruncommand -f /var/cfengine/inputs/update.cf  ;
                                "/var/cfengine/bin/cf-agent" -I -D cfruncommand
      192.168.33.3> ->   notice: Storing sha256 hash for '/etc/passwd' (SHA=8580c7f630bb7cb7252e9e1f7e129eb9c591f4c4132261ca76ebfb66f8f6c59c)
      192.168.33.3> ->   notice: Storing sha256 hash for '/etc/group' (SHA=665c4e56c7ff3e5fcd19a937ff40208d16c8fd9371a7e779feb3e33d8de0719d)
      192.168.33.3> ->   notice: Storing sha256 hash for '/etc/services' (SHA=f0c4af9261e7e6193db0bbb8f335c0f0c094d8d7aa428e5d8cbb674f2e13b2ef)
      192.168.33.3> ->   notice: Storing sha256 hash for '/etc/shadow' (SHA=8be6b00d56db641797111598a203dd80b6a285802c14c3155d4e1bceca7f57b0)
      verbose: Connection to 192.168.33.3 is closed
      You have new mail in /var/spool/mail/root
      

      I applied the patch where on 3.7 the quote is terminated explicitly and because -I -Dcfruncommand is supposed to be appended by default I modified services/main.cf to report when cfruncommand was defined.

      reports:
        cfruncommand::
          "Executed by cf-runagent (I see that cfruncommand is a defined class)";
      
       verbose: Server is TRUSTED, received key 'SHA=a97346372843a7dee5f58980a9c88bca36538022b48c2e618590a04b0c07a76a' MATCHES stored one.
      192.168.33.3> cf-serverd executing cfruncommand: /bin/sh -c '
                                 "/var/cfengine/bin/cf-agent" -I -D cfruncommand -f /var/cfengine/inputs/update.cf  ;
                                 "/var/cfengine/bin/cf-agent" ' -I -Dcfruncommand
      192.168.33.3> ->    error: Specifying input files is not allowed for remote execution
       verbose: Connection to 192.168.33.3 is closed
      

      In the above output we can see that indeed -I -Dcfruncommand is appended to cfruncommand after the closing quote. Unfortunately since it comes AFTER the closing quote, it isn't considered an option to the command. Instead the agent errors and tells you that it's not possible to specify input files for remote execution.

      So, I adjusted cfruncommand to define -I -Dcfruncommand inside of the closing quote.

      !windows.cfengine_3_7::
      
        # 3.7 doesn't support specifying the remote bundlesequence and does not
        # know to add a trailing single quote so it must be accounted for here.
        # 3.7.x Automatically appends -I -Dcfruncommand to the cfruncommand
      
          cfruncommand => "$(def.cf_runagent_shell) -c \'
                             $(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path)  ;
                             $(sys.cf_agent) -I -Dcfruncommand\'";
      

      I got this result when executing cf-runagent from the hub.

      192.168.33.3> cf-serverd executing cfruncommand: /bin/sh -c '
                                 "/var/cfengine/bin/cf-agent" -I -D cfruncommand -f /var/cfengine/inputs/update.cf  ;
                                 "/var/cfengine/bin/cf-agent" -I -Dcfruncommand' -I -Dcfruncommand
      192.168.33.3> ->    error: Specifying input files is not allowed for remote execution
      192.168.33.3> -> R: Executed by cf-runagent (I see that cfruncommand is a defined class)
      

      We can see that the agent still complained about not allowing remote execution to specify input files, but importantly we see that the policy was actually executed and that cfruncommand was defined as desired.

      The auto appending of -I -Dcfruncommand in 3.7.x seems to be useless since 3.7.x is not able to close the quote implicitly like we can in 3.10.x

       verbose: Server is TRUSTED, received key 'SHA=5934f85e77fa1636365761bacf4c7827bec87f547cc0c95ac81292e45ccbe341' MATCHES stored one.
      192.168.33.3> cf-serverd executing cfruncommand: /bin/sh -c '
                                 "/var/cfengine/bin/cf-agent" -I -D cfruncommand -f /var/cfengine/inputs/update.cf  ;
                                 "/var/cfengine/bin/cf-agent" -I -Dcfruncommand' -I -Dcfruncommand
      192.168.33.3> ->    error: Specifying input files is not allowed for remote execution
      192.168.33.3> ->   notice: Storing sha256 hash for '/etc/passwd' (SHA=8580c7f630bb7cb7252e9e1f7e129eb9c591f4c4132261ca76ebfb66f8f6c59c)
      192.168.33.3> ->   notice: Storing sha256 hash for '/etc/group' (SHA=665c4e56c7ff3e5fcd19a937ff40208d16c8fd9371a7e779feb3e33d8de0719d)
      192.168.33.3> ->   notice: Storing sha256 hash for '/etc/services' (SHA=f0c4af9261e7e6193db0bbb8f335c0f0c094d8d7aa428e5d8cbb674f2e13b2ef)
      192.168.33.3> ->   notice: Storing sha256 hash for '/etc/shadow' (SHA=8be6b00d56db641797111598a203dd80b6a285802c14c3155d4e1bceca7f57b0)
      192.168.33.3> -> R: Executed by cf-runagent (I see that cfruncommand is a defined class)
      

      And we see that it works fine in 3.10.3 -> 3.10.3

      #+BEGINEXAMPLE verbose: Server is TRUSTED, received key 'SHA=a23be6f85cf3660b4c5a82b3d465a8fcb3ccb8906c88d4a2ac30285021d8d591' MATCHES stored one. 192.168.33.3> cf-serverd executing cfruncommand: /bin/sh -c ' "/var/cfengine/bin/cf-agent" -I -D cfruncommand -f /var/cfengine/inputs/update.cf ; "/var/cfengine/bin/cf-agent" -I -D cfruncommand 192.168.33.3> -> notice: Storing sha256 hash for '/etc/passwd' (SHA=8580c7f630bb7cb7252e9e1f7e129eb9c591f4c4132261ca76ebfb66f8f6c59c) 192.168.33.3> -> notice: Storing sha256 hash for '/etc/group' (SHA=665c4e56c7ff3e5fcd19a937ff40208d16c8fd9371a7e779feb3e33d8de0719d) 192.168.33.3> -> notice: Storing sha256 hash for '/etc/services' (SHA=f0c4af9261e7e6193db0bbb8f335c0f0c094d8d7aa428e5d8cbb674f2e13b2ef) 192.168.33.3> -> notice: Storing sha256 hash for '/etc/shadow' (SHA=8be6b00d56db641797111598a203dd80b6a285802c14c3155d4e1bceca7f57b0) 192.168.33.3> -> R: Executed by cf-runagent (I see that cfruncommand is a defined class) verbose: Connection to 192.168.33.3 is closed #+ENDEXAMPLE

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                a10042 Nick Anderson
                Reporter:
                a10042 Nick Anderson
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Summary Panel