Actions
Bug #25798
openSpecially crafted command can interrupt the agent
Pull Request:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
It bothers me each time
User visibility:
Infrequent - complex configurations | third party integrations
Effort required:
Priority:
53
Name check:
To do
Fix check:
To do
Regression:
No
Description
The attached technique breaks the agent
Everything that is after this command is not executed by the agent and so prevent the agent from doing its job
Rudder agent output is
2024-11-04T22:59:03+00:00 R: [INFO] Executing is-active on rudder-jetty using the systemctl method E| compliant rudder-service-webapp Rudder-jetty service Started Ensure that service rudder-jetty is running was correct /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd) /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd) /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd) /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd) /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd) /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd) /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken variable syntax or bracket mismatch in string (awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd) /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' /var/rudder/cfengine-community/inputs/inventory/1.0/fusionAgent.cf:1:1: error: Broken scalar variable syntax or bracket mismatch in 'audit_from_command_awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' Too many errors 2024-11-04T22:59:03+00:00 R: [INFO] Executing is-enabled on rudder-jetty using the systemctl method E| compliant rudder-service-webapp Rudder-jetty service Enabled Ensure service rudder-jetty is enabled at boot was correct E| n/a Server common Reload Rudder services No Rudder services restart needed info Inventory Compute inventory splay Scheduling rudder_run_inventory was correct info Inventory Inventory An inventory was already sent less than 8 hours ago E| compliant Inventory Inventory Next inventory scheduled between 00:00 and 06:00 2024-11-04T22:59:03+00:00 rudder info: Executing 'no timeout' ... 'awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' 2024-11-04T22:59:03+00:00 rudder info: Command related to promiser 'awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' returned code '0' not defined as promise kept, not kept or repaired; setting to failed 2024-11-04T22:59:03+00:00 rudder info: Completed execution of 'awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' )"') {}' /etc/passwd' error Rudder agent was interrupted during execution by a fatal error ## Summary ##################################################################### 49 components verified in 10 directives => 49 components in Enforce mode -> 44 compliant -> 5 not-applicable This summary is incomplete as the agent was interrupted during execution Execution time: 4.00s ################################################################################ Reports sent.
verbose is attached, as well as stderr of verbose
Files
Updated by Nicolas CHARLES about 2 months ago
- Priority changed from N/A to To review
Updated by Alexis Mousset about 2 months ago · Edited
The problem happens in CFEngine's parser which fails on the awk command strings. I could reduce the offending string to (($({})))
.
The agent starts the execution, and when reaching 12 errors, aborts:
if (P.error_count > 12)
{
fprintf(stderr, "Too many errors\n");
DoCleanupAndExit(EXIT_FAILURE);
}
Updated by Alexis Mousset about 2 months ago
- Category changed from Security to Agent
- Private changed from Yes to No
Updated by Alexis Mousset about 2 months ago
- Priority changed from To review to 5 (lowest)
Setting low priority is it is really a corner case. If it happens again we may investigate and try to fix the parser.
Updated by Vincent MEMBRÉ about 1 month ago
- Target version changed from 8.1.8 to 8.1.9
Updated by Vincent MEMBRÉ 25 days ago
- Target version changed from 8.1.9 to 8.1.10
Updated by Vincent MEMBRÉ 20 days ago
- Target version changed from 8.1.10 to 8.1.11
Actions