Thursday, August 20, 2015

Running Puppet For A Single Module

For the last 2 1/2 years I have been working with Puppet.  Sure, there is a lot of debate about puppet versus chef, but where I work we use puppet, so the debate is moot. 

I was recenlty adding a user account for someone that needed access to a couple of our legacy systems.  These systems are on a version of puppet code that we have not maintained for almost 2 years (ever since we re-worked our network and re-wrote our puppet code to be cleaner and more efficient).

Erring on the side of caution I checked and found that puppet hadn't been run on one of the servers for almost 2 years (which is scary).  But, I needed to get the person's account propogated out to the machines in question (as we only use puppet for account management.  We DO NOT manually create accounts).

So, I decided to run puppet JUST for the module in question.  This has the benefit of only applying the changes of the module you want and nothing else in the puppet ecosystem.

First thing to do was to run the command, but with the added '--noop'.  This will allow us to see what changes were going to be made, without actually applying them:

# puppet agent -vt --noop --tags=module
The '--tags=module' portion of that line allows you to specify which module you want to apply to the system during the puppet run.  The '--noop' tells puppet to run in what is essentially known as 'just kidding' mode.  This means it will run, but it won't apply anything.  Instead, it will tell you what it would have done.  This way, you can see what changes would be made, just in case there were some you didn't expect.  This is an excellent feature that can help you avoid any unexpected changes that can really cause things to go awry.

After that runs and you confirm that all is ok with what it would have done, simply run the command again, but without the --noop, and it will apply the changes.

Sunday, August 16, 2015

sudo Vulnerability On OSx

I was perusing HackerNews and found an article mentioning that there is a vulnerability in sudo as Apple ships it.  The vulnerability is active because Apple ships its os with tty_tickets disabled.  What this means is that your logins to a machine (or terminal sessions as it were) are not treated as separate, but instead as linked. 

To demonstrate this, open two terminal windows and sudo to root.  You will be prompted for your password once, but not the second time.  To fix this, simply run 'visudo' (as root) and add the following line to the file.  ( I added a comment above it to say that it was a vulnerability fix:

# To turn off apple's giant privilege escalation vulnerability
Defaults tty_tickets
After you apply the fix, log out of your terminal sessions and open two new ones.  You should now have to provide your password on both of them.  
Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.