(#9794) k5login can overwrite arbitrary files as root
The k5login type is typically used to manage a file in the home directory of a
user; the explicit purpose of the files is to allow access to other users.
It writes to the target file directly, as root, without doing anything to
secure the file. That would allow the owner of the home directory to symlink
to anything on the system, and have it replaced with the correct content of
the file. Which is a fairly obvious escalation to root the next time Puppet
runs.
Now, instead, fix that to securely write the target file in a predictable and
secure fashion, using the secure_open helper.
Fixes CVE-2011-3869
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>