Summary

dp-golang could install files — including the compiler binary — with the wrong ownership when all of the following were true:

• Puppet was run as root
• Using dp-golang version < 1.2.7
• The installed package was:
  • On macOS: Go version 1.4.3 through 1.21rc3, inclusive.
  • go1.4-bootstrap-20170518.tar.gz
  • go1.4-bootstrap-20170531.tar.gz

The user and group specified in Puppet code were ignored for files within the archive.

Explanation

dp-golang uses tar to extract Go installations into place. When running as root, tar by default honors the ownership of entries in the installation tarball. Go installation archives listed below have files owned by a non-root user, so tar applied that ownership as best it could on installation.

A check of the archives on https://go.dev/dl found a number of installation archives with files owned by gopher, kbuilder, or just UID 501 or 502.

• For macOS: Go versions 1.4.3 through 1.21rc3, inclusive
• go1.4-bootstrap-20170518.tar.gz
• go1.4-bootstrap-20170531.tar.gz

Go versions 1.21.0 and beyond on macOS are not affected (all entries are owned by UID 0).

Impact

This could result in the Go installation being modifiable by a non-root user. In the worst case, the user could modify the compiler to insert vulnerabilities into packages that were then run by privileged users on the same system, or on other systems entirely.

Patches

dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or group. New and recreated installations will have the correct owner and group for all files and directories.

Workarounds

The Go installation may be chowned to the proper ownership, but this does not guarantee that it has not been modified.