Actions
Bug #19429
closedpuppetca module should not run puppet cert commands as root
Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
PuppetCA
Target version:
-
Description
Currently, the puppetca code is set up to run 'puppet cert' commands via sudo as root. This seems to me to be an unnecessary privilege escalation, it should run the command as the user running puppet. Normally this user is 'puppet', but that should be configurable I guess.
The problem with running as root is partly that since it is not absolutely necessary it shouldn't be done (by principal), and partly that users can have puppet certificates stored on a shared filesystem (for example NFS) where the root user on the puppet system have no access.
Updated by Dominic Cleal almost 7 years ago
- Project changed from Foreman to Smart Proxy
- Category changed from PuppetCA to PuppetCA
Updated by Ewoud Kohl van Wijngaarden over 2 years ago
- Status changed from New to Rejected
Since Puppet 6 the HTTP API is used instead, which means no sudo is used anymore. Puppet < 6 is EOL so there are no plans to address this.
Actions