Project

General

Profile

Actions

Bug #25798

open

Specially crafted command can interrupt the agent

Added by Nicolas CHARLES about 2 months ago. Updated 20 days ago.

Status:
New
Priority:
5 (lowest)
Assignee:
-
Category:
Agent
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
It bothers me each time
User visibility:
Infrequent - complex configurations | third party integrations
Effort required:
Priority:
53
Name check:
To do
Fix check:
To do
Regression:
No

Description

The attached technique breaks the agent
Everything that is after this command is not executed by the agent and so prevent the agent from doing its job

Rudder agent output is

2024-11-04T22:59:03+00:00 R: [INFO] Executing is-active on rudder-jetty using the systemctl method
E| compliant     rudder-service-webapp     Rudder-jetty service      Started            Ensure that service rudder-jetty is running  was correct
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd)
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
/var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
Too many errors
2024-11-04T22:59:03+00:00 R: [INFO] Executing is-enabled on rudder-jetty using the systemctl method
E| compliant     rudder-service-webapp     Rudder-jetty service      Enabled            Ensure service rudder-jetty is enabled at boot  was correct
E| n/a           Server common             Reload Rudder services                       No Rudder services restart needed
   info          Inventory                 Compute inventory splay                      Scheduling rudder_run_inventory was correct
   info          Inventory                 Inventory                                    An inventory was already sent less than 8 hours ago
E| compliant     Inventory                 Inventory                                    Next inventory scheduled between 00:00 and 06:00
2024-11-04T22:59:03+00:00 rudder     info: Executing 'no timeout' ... 'awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
2024-11-04T22:59:03+00:00 rudder     info: Command related to promiser 'awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' returned code '0' not defined as promise kept, not kept or repaired; setting to failed
2024-11-04T22:59:03+00:00 rudder     info: Completed execution of 'awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd'
error    Rudder agent was interrupted during execution by a fatal error

## Summary #####################################################################
49 components verified in 10 directives
   => 49 components in Enforce mode
      -> 44 compliant
      -> 5 not-applicable
This summary is incomplete as the agent was interrupted during execution
Execution time: 4.00s
################################################################################
Reports sent.

verbose is attached, as well as stderr of verbose


Files

break_agent.yml (332 Bytes) break_agent.yml Nicolas CHARLES, 2024-11-05 09:16
stderr (2.54 KB) stderr Nicolas CHARLES, 2024-11-05 09:19
broken_agent (5.5 MB) broken_agent Nicolas CHARLES, 2024-11-05 09:19
brokenR (25 KB) brokenR Nicolas CHARLES, 2024-11-05 09:28
Actions #1

Updated by Nicolas CHARLES about 2 months ago

  • Priority changed from N/A to To review
Actions #2

Updated by Nicolas CHARLES about 2 months ago

Actions #3

Updated by Alexis Mousset about 2 months ago · Edited

The problem happens in CFEngine's parser which fails on the awk command strings. I could reduce the offending string to (($({}))).

The agent starts the execution, and when reaching 12 errors, aborts:

if (P.error_count > 12)
{
  fprintf(stderr, "Too many errors\n");
  DoCleanupAndExit(EXIT_FAILURE);
}
Actions #4

Updated by Alexis Mousset about 2 months ago

  • Category changed from Security to Agent
  • Private changed from Yes to No
Actions #5

Updated by Alexis Mousset about 2 months ago

  • Priority changed from To review to 5 (lowest)

Setting low priority is it is really a corner case. If it happens again we may investigate and try to fix the parser.

Actions #6

Updated by Vincent MEMBRÉ about 1 month ago

  • Target version changed from 8.1.8 to 8.1.9
Actions #7

Updated by Vincent MEMBRÉ 25 days ago

  • Target version changed from 8.1.9 to 8.1.10
Actions #8

Updated by Vincent MEMBRÉ 20 days ago

  • Target version changed from 8.1.10 to 8.1.11
Actions

Also available in: Atom PDF