Project

General

Profile

Actions
Copy link

Bug #19429

closed

puppetca module should not run puppet cert commands as root

Added by Adam Winberg about 7 years ago. Updated almost 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
PuppetCA
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Foreman - 1.14.3
Red Hat JIRA:

Description

Currently, the puppetca code is set up to run 'puppet cert' commands via sudo as root. This seems to me to be an unnecessary privilege escalation, it should run the command as the user running puppet. Normally this user is 'puppet', but that should be configurable I guess.

The problem with running as root is partly that since it is not absolutely necessary it shouldn't be done (by principal), and partly that users can have puppet certificates stored on a shared filesystem (for example NFS) where the root user on the puppet system have no access.

Actions
Copy link
 #1

Updated by Dominic Cleal about 7 years ago

  • Project changed from Foreman to Smart Proxy
  • Category changed from PuppetCA to PuppetCA
Actions
Copy link
 #2

Updated by Ewoud Kohl van Wijngaarden almost 3 years ago

  • Status changed from New to Rejected

Since Puppet 6 the HTTP API is used instead, which means no sudo is used anymore. Puppet < 6 is EOL so there are no plans to address this.

Actions
Copy link

Also available in: Atom PDF