Skip to content

More secure default server setting#208

Open
binford2k wants to merge 2 commits intoOpenVoxProject:mainfrom
binford2k:default_servername
Open

More secure default server setting#208
binford2k wants to merge 2 commits intoOpenVoxProject:mainfrom
binford2k:default_servername

Conversation

@binford2k
Copy link
Contributor

@binford2k binford2k commented Sep 9, 2025

Under some fairly obscure conditions, defaulting the server setting to
'puppet' can be a security concern. Because the worst case scenario
involves a user accidentally running puppet agent -t on an untrusted
network, this PR removes the default completely when non-root.
Otherwise, it just prints a deprecation warning.

Fixes https://github.com/voxpupuli/security-tracking/issues/22

@binford2k
Copy link
Contributor Author

binford2k commented Sep 9, 2025

fwiw, I'm not actually happy with this solution. It means that in a completely serverless workflow, you'll have spurious warnings in the logs like such. I'll try to find a better way later, after we decide if this is a good idea or not.

$ sudo puppet apply /tmp/site.pp
Warning: OpenVox will not default to `server=puppet` as of version 9.0. Please update your configuration appropriately.
   (location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/defaults.rb:1659:in `block in initialize_default_settings!')
Notice: Compiled catalog for lilith.local in environment production in 0.00 seconds
...

@binford2k
Copy link
Contributor Author

binford2k commented Sep 16, 2025

I moved the check and warnings to the http service so it only screams if you actually use it. This avoids, for example, the spurious deprecation message when running puppet apply, or even puppet config set to set it in the first place!

@binford2k binford2k requested a review from bastelfreak October 16, 2025 23:34
@binford2k
Copy link
Contributor Author

binford2k commented Oct 16, 2025

if people approve of this approach, I'm happy to get started on fixing the spec tests.

@bastelfreak
Copy link
Contributor

bastelfreak commented Oct 23, 2025

@binford2k yes this makes sense to me

binford2k and others added 2 commits January 6, 2026 17:06
@binford2k
More secure default server setting
c6fd18b 
Under some fairly obscure conditions, defaulting the server setting to
'puppet' can be a security concern. Because the worst case scenario
involves a user accidentally running `puppet agent -t` on an untrusted
network, this PR removes the default completely when non-root.
Otherwise, it just prints a deprecation warning.

The check and warnings are generated at the http service so that it
only screams if you actually attempt to use it. This avoids, for example,
the spurious deprecation message when running `puppet config set` to set
this in the first place.

Fixes voxpupuli/security-tracking#22
@binford2k @corporate-gadfly
fix spec tests
8a79383 
Co-authored-by: Haroon Rafique <haroon.rafique@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bastelfreak bastelfreak Awaiting requested review from bastelfreak

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@binford2k @bastelfreak