Failure to set authpass/privpass containing a dollar sign

[smoeding]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 5.5.x
• Ruby: 2.4.4
• Distribution: Debian 9
• Module version: 4.1.0

How to reproduce (e.g Puppet code you use)

Use authpass/privpass containing a '$' like this:

snmp::snmpv3_user { 'myuser':
  authpass => '1234$auth',
  privpass => '5678$priv',
}

What are you seeing

Puppet tries to update the snmpv3 user data at each run.

What behaviour did you expect instead

Puppet should update the snmpv3 user data only once.

Any additional information you'd like to impart

I think the problem is that the dollar sign is interpreted as the start of a variable and the value (maybe empty) is interpolated. Therefore the hash is calculated for a different password and Puppet tries to do the same next time because the hashes do not match.

I believe I traced this down to the place in snmpv3_user.pp where the exec resource is used to create the config entry:

    exec { "create-snmpv3-user-${title}":
      path    => '/bin:/sbin:/usr/bin:/usr/sbin',
      # TODO: Add "rwuser ${title}" (or rouser) to /etc/snmp/${daemon}.conf
      command => "service ${service_name} stop ; sleep 5 ; \
echo \"${cmd}\" >>${snmp::params::var_net_snmp}/${daemon}.conf",
      user    => 'root',
      require => [ Package['snmpd'], File['var-net-snmp'], ],
      before  => Service[$service_name],
    }

The Puppet variable ${cmd} contains the line to be added to the config file. The value is given to the shell using double quotes which tells the shell to look and interpret special chars. If the value of the ${cmd} variable contains something like $x then the shell will replace that with the value of the shell variable x. The password added to the configuration file is therefore not the correct password.

I see two possible fixes here:

• Use single quotes so the shell does not try to interpret the value.
• Replace the exec with something better, e.g. a service resource to stop the service and a file_line resource (from stdlib) to add the config line. Additional bonus points: the service resource would not depend on the service executable (is that even available everywhere?). Also the service could only be stopped once when multiple SNMP users are updated at the same time.

Thoughts/comments?

[smoeding]

I started working on a fix for this. Unfortunately a service resource to stop the daemon will cause a duplicate resource error (even with different titles; Puppet seems to use the namevar internally). So in my opinion the best fix seems to be an exec resource to stop the service and a file_line resource to update the config file.