We've identified and are fixing a condition in puppet where the auto-generated CA private key is created with too-leinent permissions. We feel the exposure is pretty limited (it would require a local user account on the CA system, to discover and copy/modify the CA key before additional puppet commands run) but will be releasing patched versions which do not have the problem. I wanted to post this publicly so users could evaluate their own site and remediate if necessary, in advance of an upstream software release.
You could be affected if: - you used puppet server or puppet master to automatically generate a CA keypair and certificate and have NEVER restarted the process - you never subsequently ran a puppet agent, cert, or other subcommands which use the certificate subsystem, on the host with the CA keypair. You will not be affected if: - you run Puppet Enterprise to initialize your CA - you have ever run 'puppet agent' or other 'puppet cert' commands as root on the host with the keypair. - you have ever restarted your puppet master/puppet server process. Ever. Really. The immediate fix is to either: - run `puppet agent` as root on the server which has the CA key - as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem` A huge thank you/merci to Francois Lafont for reporting this issue. For more details, see https://tickets.puppetlabs.com/browse/PUP-5274 Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0 puppet platform // coffee // techno // bicycles
