Actions
Bug #25798
open
Specially crafted command can interrupt the agent
Pull Request:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
It bothers me each time
User visibility:
Infrequent - complex configurations | third party integrations
Effort required:
Priority:
53
Name check:
To do
Fix check:
To do
Regression:
No
Description
The attached technique breaks the agent
Everything that is after this command is not executed by the agent and so prevent the agent from doing its job
Rudder agent output is
2024-11-04T22:59:03+00:00 R: [INFO] Executing is-active on rudder-jetty using the systemctl method
E| compliant rudder-service-webapp Rudder-jetty service Started Ensure that service rudder-jetty is running was correct
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
Too many errors
2024-11-04T22:59:03+00:00 R: [INFO] Executing is-enabled on rudder-jetty using the systemctl method
E| compliant rudder-service-webapp Rudder-jetty service Enabled Ensure service rudder-jetty is enabled at boot was correct
E| n/a Server common Reload Rudder services No Rudder services restart needed
info Inventory Compute inventory splay Scheduling rudder_run_inventory was correct
info Inventory Inventory An inventory was already sent less than 8 hours ago
E| compliant Inventory Inventory Next inventory scheduled between 00:00 and 06:00
2024-11-04T22:59:03+00:00 rudder info: Executing 'no timeout' ... 'awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
2024-11-04T22:59:03+00:00 rudder info: Command related to promiser 'awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' returned code '0' not defined as promise kept, not kept or repaired; setting to failed
2024-11-04T22:59:03+00:00 rudder info: Completed execution of 'awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
error Rudder agent was interrupted during execution by a fatal error
## Summary #####################################################################
49 components verified in 10 directives
=> 49 components in Enforce mode
-> 44 compliant
-> 5 not-applicable
This summary is incomplete as the agent was interrupted during execution
Execution time: 4.00s
################################################################################
Reports sent.
verbose is attached, as well as stderr of verbose
Files
Updated by
Updated by Alexis Mousset 17 days ago
· Edited
The problem happens in CFEngine's parser which fails on the awk command strings. I could reduce the offending string to (($({}))).
The agent starts the execution, and when reaching 12 errors, aborts:
if (P.error_count > 12)
{
fprintf(stderr, "Too many errors\n");
DoCleanupAndExit(EXIT_FAILURE);
}
Updated by Alexis Mousset 17 days ago
- Category changed from Security to Agent
- Private changed from Yes to No
Updated by Alexis Mousset 17 days ago
- Priority changed from To review to 5 (lowest)
Setting low priority is it is really a corner case. If it happens again we may investigate and try to fix the parser.
Updated by Vincent MEMBRÉ 15 days ago
- Target version changed from 8.1.8 to 8.1.9
Actions