More secure default server setting

binford2k · binford2k · commit 8dc2b93ca271 · 2025-09-08T19:42:11.000-07:00
Under some fairly obscure conditions, defaulting the server setting to 'puppet' can be a security concern. Because the worst case scenario involves a user accidentally running `puppet agent -t` on an untrusted network, this PR removes the default completely when non-root. Otherwise, it just prints a deprecation warning. Fixes voxpupuli/security-tracking#22
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
@@ -1650,8 +1650,19 @@ def self.initialize_default_settings!(settings)
       :desc     => "The root directory of devices' $confdir.",
     },
     :server => {
-      :default => "puppet",
-      :desc => "The primary Puppet server to which the Puppet agent should connect.",
+      :default   => '', # use an empty string so dependent settings can resolve without crashing
+      :desc      => "The primary Puppet server to which the Puppet agent should connect.",
+      :call_hook => :on_initialize_and_write,
+      :hook      => proc do |value|
+        if value.empty?
+          if Puppet.features.root?
+            Puppet.deprecation_warning('OpenVox will not default to `server=puppet` as of version 9.0. Please update your configuration appropriately.')
+            Puppet.settings[:server] = 'puppet'
+          else
+            Puppet.deprecation_warning('"server" must be specified when running as a non-privileged user. (Did you mean to run as root?)')
+          end
+        end
+      end
     },
     :server_list => {
       :default => [],
diff --git a/spec/unit/defaults_spec.rb b/spec/unit/defaults_spec.rb
@@ -8,6 +8,20 @@
     end
   end
 
+  describe 'server' do
+    it 'should default to `puppet` when root' do
+      allow(Puppet.features).to receive(:root?).and_return(true)
+      Puppet.initialize_settings
+      expect(Puppet.settings[:server]).to eq('puppet')
+    end
+
+    it 'should default to empty value when non-root' do
+      expect(Puppet).to receive(:deprecation_warning)
+      Puppet.initialize_settings
+      expect(Puppet.settings[:server]).to eq('')
+    end
+  end
+
   describe 'strict' do
     it 'should accept the valid value :off' do
       expect {Puppet.settings[:strict] = 'off'}.to_not raise_exception
@@ -146,7 +160,7 @@
 
   describe "deprecated settings" do
     it 'does not issue a deprecation warning by default' do
-      expect(Puppet).to receive(:deprecation_warning).never
+      expect(Puppet).to receive(:deprecation_warning).with(/"server" must be specified when running as a non-privileged user/)
 
       Puppet.initialize_settings
     end
