help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

can I file sweep / and exclude full pathnames?


From: Nate Campi
Subject: can I file sweep / and exclude full pathnames?
Date: Sat, 28 Dec 2002 12:04:05 -0800
User-agent: Mutt/1.3.28i

How come I can't do this:


files:

        /
                        filter=rootownedfiles
                        mode=-4000      # no SUID for rootownedfiles
                        recurse=inf
                        action=fixall
                        inform=true
                        exclude=/bin/su
                        exclude=/usr/lib/pt_chown
                        exclude=/usr/bin/crontab
                        exclude=/usr/sbin/traceroute
                        exclude=/usr/sbin/fping
                        exclude=/usr/bin/passwd
                        exclude=/usr/bin/su
                        exclude=/usr/bin/at
                        exclude=/usr/bin/sudo
                        exclude=/usr/bin/rsh
                        exclude=/usr/sbin/postdrop
                        exclude=/usr/sbin/postqueue
                        syslog=on

...instead I have to do this:

files:

        /usr/bin
                        filter=rootownedfiles
                        mode=-4000      # no SUID for rootownedfiles
                        recurse=inf
                        action=fixall
                        inform=true
                        exclude=crontab
                        exclude=passwd
                        exclude=su
                        exclude=at
                        exclude=sudo
                        exclude=rsh
                        syslog=on

        /usr/sbin
                        filter=rootownedfiles
                        mode=-4000      # no SUID for rootownedfiles
                        recurse=inf
                        action=fixall
                        inform=true
                        exclude=traceroute
                        exclude=fping
                        syslog=on

I'd like cfengine to sweep the entire filesystem in one shot, but don't
want to globally allow any file named sudo or su or crontab in any
directory to have the SUID bit set. Is there a simple way to do it like
in the first (non-working) example?

Of course I can do it with a lot of excludes and a lot of smaller sweeps
of chunks of the filesystem, but I'd like to keep it simple.

TIA
-- 
Nate Campi   http://www.campin.net 

One of the main causes of the fall of the Roman Empire was that,
lacking zero, they had no way to indicate successful termination of
their C Programs. 




reply via email to

[Prev in Thread] Current Thread [Next in Thread]