Harden root password class

[chelnak]

Prior to this PR there was a possibility that malformed strings could be passed in to the resource.
This could lead to unsafe executions on a remote system.

The parameters that are susceptible are install_secret_file.

This PR fixes the above by adding validation to ensure the given values confirm to expectation.

secret_file is validated with a regular expression that ensures the given value is a valid path.

[puppet-community-rangefinder]

mysql::db is a type

Breaking changes to this file WILL impact these 67 modules (exact match):

• wdijkerman-zabbix
• autostructure-artifactory
• puppet-zabbix
• razorsedge-cloudera
• sensson-powerdns
• treydock-keycloak
• puppetlabs-bacula
• jsnshrmn-twlight
• cesnet-site_hadoop
• geoffwilliams-r_profile
• maxadamo-galera_proxysql
• sgnl05-racktables
• shoekstra-owncloud
• binford2k-drupal
• mmitchell-puppetlabs_ironic
• oris-appserver
• brucem-ezpublish
• rharrison-bacula
• wyrie-nagiosql
• desalvo-bacula
• openstack-monasca
• hgkamath-owncloud
• blackknight36-bacula
• bramwelt-patchwork
• ULHPC-slurm
• martasd-mediawiki
• alkivi-zabbix
• cirrax-postfixadmin
• SchnWalter-happydev
• fiddyspence-zabbix
• aimonb-nexusis_mediawiki
• alkivi-owncloud
• jefferyb-kualicoeus
• lboynton-gitlab
• ccaum-autoami
• wyrie-snmptt
• firefield-firefield
• forj-openfire
• cnwr-cacti
• leonardothibes-usvn
• aimonb-nexusis_gerrit
• dsestero-sonarqube
• stesie-gluon
• hexmode-mediawiki
• tscopp-jss
• dmcnicks-sympa
• marcdeop-ratticdb
• othalla-nextcloud
• icann-opendnssec
• alisio-opensips
• factorit-jasperreports_server
• martialblog-limesurvey
• monkygames-beansbooks
• treydock-xdmod
• infnpd-ocpattrauth
• mricon-bugzilla
• eelcomaljaars-friendica
• akisakye-matomo
• fervid-artifactory
• treydock-slurm
• samuelson-custom_webapp
• cirrax-roundcube
• bodgit-wordpress
• alisio-opensipscp
• mightp-librenms
• benjaminrobertson-observium
• qroac-isp3node

Breaking changes to this file MAY impact these 16 modules (near match):

• lcgdm-dmlite
• lcgdm-lcgdm
• cesnet-hive
• icinga-icinga
• tykeal-gerrit
• cesnet-oozie
• echoes-wrappers
• jtopjian-cubbystack
• erwbgy-wso2
• soli-wrappers
• mwils-complete_wordpress
• devopera-domysqldb
• halyard-boxen
• rspiak-racktables
• abaranov-sqlgrey
• kclnmssys-sympa

mysql::server::root_password is a class

that may have no external impact to Forge modules.

This module is declared in 140 of 579 indexed public Puppetfiles.

---

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

[chelnak]

ping @puppetlabs/security

[chelnak]

The test failures in this PR are present on main and part of another investigation.

[LivingInSyn]

This should be chained with a ; not &&. If the mysqladmin command fails with the current command chaining it won't delete the .mysql_secret file

[binford2k]

I think that's desired though. If we remove the file without setting the password, then we've lost it.

[LivingInSyn]

🤔 we don't want to leave a cleartext file sitting on the hard drive though

[binford2k]

Let's look at the workflow and fragilities. This is how I understand it, please correct me if I'm wrong.

1. the mysql install runs and generates a randomized password
2. this is saved in plaintext on disk. It allows you only the ability to set your own password--you can't use it for normal operations.
3. the user is expected to specify a new password and delete the temporary password file, which is what this command string is doing.

If step 3 fails, I can only think of a handful of causes:

1. mysql installation failed or the service didn't start. Manual intervention is required, and the plaintext password may or may not be valid.
2. race condition -- the install succeeded, but an unknown actor already changed the root password. The plaintext password is invalid, but this should probably trigger an investigation.
3. the process that generated the install password and file on disk failed. The plaintext password is invalid.

Are there other scenarios?

[LivingInSyn]

yes, assume that something else went wrong with the mysqladmin password change command, in this case the password was not changed or removed, and it's still sitting on the disk, right? The safer option here is to just delete it regardless of success or failure

[binford2k]

I'd still call that scenario 1 and the proper response imho is to fail and ensure manual intervention. I'm not sure if I care about the password file existing. It could make troubleshooting easier, but I suspect that most users won't bother--they'll either burn the node or remove the installation and try again.

My concern with chaining with ; is that it will make that exec always succeed and so it won't bubble up errors.

[LivingInSyn]

how about we do it like this

 mysqladmin -u root --password=\$(grep -o '[^ ]\\+\$' /.mysql_secret) password \
&& (rm -f  /.mysql_secret; exit 0) \
|| (rm -f /.mysql_secret; exit 1)

Now we'll always delete the secret, and we'll have the error if something went wrong?

[binford2k]

Ha! I looked at the original code again and it wasn't surfacing errors to start with!