Skip to content

1.2.7: Security: Enforce file ownership
Compare
Choose a tag to compare
@danielparks danielparks released this 29 Feb 22:25
· 14 commits to main since this release
v1.2.7
This tag was signed with the committer’s verified signature.
danielparks Daniel Parks
GPG key ID: 3C85EBB0234DE864
Verified
Learn about vigilant mode.
7457468
This commit was signed with the committer’s verified signature.
danielparks Daniel Parks
GPG key ID: 3C85EBB0234DE864
Verified
Learn about vigilant mode.

Security fix

Certain Go tarballs (see below) had files owned by non-root users:

❯ curl -SsL https://go.dev/dl/go1.20.14.darwin-amd64.tar.gz | tar -tzvf - | head -3
drwxr-xr-x  0 0      0           0 Feb  2 10:19 go/
-rw-r--r--  0 gopher wheel    1339 Feb  2 10:09 go/CONTRIBUTING.md
-rw-r--r--  0 gopher wheel    1479 Feb  2 10:09 go/LICENSE

In this case, the non-root user in question mapped to the first user created on the macOS system (UID 501).

When running as root, previous versions of dp-golang would preserve file ownership when extracting the tarball, even if owner was set to something else. This meant that files, such as the go binary, ended up being writable by a non-root user.

This version of dp-golang enables tar’s --no-same-owner and --no-same-permissions flags, which cause files to be extracted as the user running Puppet, or as the user/group specified in the Puppet code.

GitHub security advisory: GHSA-8h8m-h98f-vv84

Affected Go tarballs

  • Go for macOS version 1.4.3 through 1.21rc3, inclusive.
  • go1.4-bootstrap-20170518.tar.gz
  • go1.4-bootstrap-20170531.tar.gz

Changes

As part of the security fix mentioned above, it became necessary to be more aggressive about ensuring that the owner and group of files in the installation are correct. dp-golang now deletes and recreates any Go installation it finds that has a file or directory with the wrong owner or group.

Assets 3
Loading