From bdf728edc4c0b0e0e416f9d3e542b6815a4d3c0a Mon Sep 17 00:00:00 2001
From: Daniel Pittman <daniel@puppetlabs.com>
Date: Thu, 29 Sep 2011 00:32:49 -0700
Subject: [PATCH] (#9794) k5login can overwrite arbitrary files as root

The k5login type is typically used to manage a file in the home directory of a
user; the explicit purpose of the files is to allow access to other users.

It writes to the target file directly, as root, without doing anything to
secure the file. That would allow the owner of the home directory to symlink
to anything on the system, and have it replaced with the  correct  content of
the file. Which is a fairly obvious escalation to root the next time Puppet
runs.

Now, instead, fix that to securely write the target file in a predictable and
secure fashion, using the `secure_open` helper.

Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
---
 lib/puppet/type/k5login.rb |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/lib/puppet/type/k5login.rb b/lib/puppet/type/k5login.rb
index eac142f..2e87ca9 100644
--- a/lib/puppet/type/k5login.rb
+++ b/lib/puppet/type/k5login.rb
@@ -79,7 +79,9 @@ Puppet::Type.newtype(:k5login) do
 
     private
     def write(value)
-      File.open(@resource[:name], "w") { |f| f.puts value.join("\n") }
+      Puppet::Util.secure_open(@resource[:name], "w") do |f|
+        f.puts value.join("\n")
+      end
     end
   end
 end
-- 
1.7.6.4